The vulnerability is a stored Cross-Site Scripting (XSS) issue in the Piranha CMS manager interface, specifically within the page editor's content blocks. The analysis of the patch commit 0a1e5081b9e954856ad9fe641335ab049b27090d reveals that the vulnerability existed in how user input was handled in certain Vue.js components.

In the quote-block component, the onAuthorBlur and onBodyBlur methods directly assigned user-provided innerText to the data model. This was unsafe because the text was not sanitized, allowing HTML and script injection.

In the text-block component, the v-model directive was used on a textarea. This created a direct, unsanitized two-way data binding between the user's input and the component's data model. Any content typed by the user was immediately reflected in the model and subsequently stored.

The patch addresses these issues by introducing DOMPurify.sanitize to clean the input in all identified vulnerable locations before it is stored in the data model. The identified functions are the direct entry points for the malicious payloads.