MonicaHQ version 4.0.0 allows an authenticated remote attacker to execute malicious code in the application via CSTI in the people:id/introductions endpoint and firstmetadditional_info parameter.
people:id/introductions