The vulnerability stems from improper neutralization of file names before DOM insertion. The advisory references line 168 in the source file, which in the patched version (PR #40) shows security-focused changes. The fix involved using textContent instead of innerHTML for filename display, indicating the original implementation directly injected user-controlled filenames into DOM elements without sanitization. This pattern matches classic stored XSS vulnerability patterns where user-controlled input is rendered unsafely.