Tl;dr /api/log endpoint writes to a log file with attacker controlled data. Also attacker can write to any *.log file.

This issue on its own is hard to discover without source access and not too damaging until you consider what happens when you need to do IR and can’t trust your logs.