In error message URL is not escaped, it makes it possible to inject javascript into URL.
vulners.com/securityvulns/securityvulns:doc:3368
vulners.com/securityvulns/securityvulns:doc:3382
vulners.com/securityvulns/securityvulns:doc:847
vulners.com/securityvulns/securityvulns:doc:848