The vulnerability stems from improper handling of 'company_key' in the password reset flow. The original code used session-stored 'company_key' to set the database context, which could be manipulated via session poisoning or other means. If this value was later reflected in web output without sanitization (e.g., in error messages or hidden form fields), it created an XSS vector. The patch in commit 1186eaa modified the code to use request input directly while removing session dependency, indicating the original implementation lacked proper input validation and output encoding for this parameter.