From preliminary analysis (based on reverse-engineered patches and exploit proof-of-concepts), the vulnerability resides in a legacy API endpoint used for third-party booking integrations. Specifically, the /api/v1/radixx/booking/import endpoint fails to sanitize XML input before passing it to a system call that processes payment authorizations.