The vulnerability stems from improper output sanitization in the admin notification preview flow. Analysis of Magento's security patches reveals that the fix involved adding HTML escaping to title parameters in both the Block class (via escapeHtml) and template rendering. The Preview controller's handling of request parameters without validation() creates the injection vector. These components directly map to the described stored XSS attack pattern requiring admin privileges.