A flaw was found in Keycloak in the execute-actions-email endpoint. This issue allows arbitrary HTML to be injected into emails sent to Keycloak users and can be misused to perform phishing or other attacks against users.
https://herolab.usd.de/security-advisories/usd-2021-0033/
https://github.com/keycloak/keycloak/security/advisories/GHSA-m4fv-gm5m-4725