This is a demo Flask application for login and password reset.
There is only 1 user; admin@admin.com
Maybe the password reset functionality is vulnerable to host header injection 👀