Is there a potential XSS in this html action attribute?

I’m working on a website and I noticed that if I go to the following URL: website.com/page?alert() this message is reflected in the action form. I tried to close the action attribute using double quotes in order to try a classic like " onload="alert(1)" but double quotes are URLencoded if i read the source code. Do you have some suggestion? Or is just a rabbit hole? Thanks

 <form method="post" action="./page?alert()" id="cn"> <div class="n">