This is a very minor issue since it requires elevated permission but error messages (in the $err var) are not escaped before being passed to Html::rawElement() in the getError() function in the Hooks class.
Affiliation: Miraheze/WikiTide Security reviewer