Reflected URL parameter name, potential XSS (parameter name echoed unencoded)

A separate endpoint exhibited the same pattern as M-05: URL parameter names were echoed verbatim into the response without HTML encoding. Tracked as a distinct finding because the affected endpoint and the consumer surface differ.

Same as M-05: reflected XSS vector that becomes exploitable if a downstream consumer renders the response into HTML.

HTML-encode parameter names before reflecting them. Apply the global response-encoding pattern recommended in M-05 across the URL handling layer to catch unidentified instances.

Ipal Network: Confirmed. Zealynx: Fixed.