templates/forms/thanks.html in Formspree before 2018-01-23 allows XSS related to the _next parameter.Referenceshttps://github.com/formspree/formspree/commit/5f18eeaaa459bee9a58f70cdf7c46adb1ef34ea7
