Fava before 1.22.3 is vulnerable to reflected cross-site scripting due to improper validation on filter conversion.