netbox-data-flows has stored XSS in ObjectAlias names rendered inside DataFlow tables
An authenticated user who can create or edit ObjectAlias objects can store arbitrary HTML/JavaScript in an alias name. That payload is later rendered unescaped in DataFlow table views, causing a stored XSS when another user views the affected page.