This beauty was finally published today CVE-2020-22789 (after almost a year of our report). Is an unauthenticated stored XSS (the worst kind) in a Data integration software used by huge companies like airports and electricity providers.

This was found with my coleage David van Gool

More information: Unauthenticated Stored XSS in FME Server versions 2019.2 and 2020.0 Beta allows a remote attacker to gain admin privileges by injecting arbitrary web script or HTML via the login page. The XSS is executed when an administrator accesses the logs.