github-readme-stats shows error page when the username is not valid, which includes the username without neutralization, causing reflected cross-site scripting.
6.1(Medium) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
The page /api accepts username parameter. If the username is not valid, an error page is returned. The error page contains the username without neutralization. Attackers can use username with <script> tags to cause reflected cross-site scripting.