Ways to exploit a form action value when it s reflected from URI on React-Django


I am working on a security testing project, where I have noticed that the form action of a login page takes whatever is fed to URI as a parameter, the respective part of the login page is as follows:

<form action="/admin/login/?param=Whateveryouputhere" method="post" id="login-form"> 

Actually, you can even omit the “param”, any value after the question mark will still be reflected. the default value for te param is “/next/” btw.

How could an attacker exploit it, especially via XSS? I tried to escape the the quotations but it failed (they are auto-replaced with URL-encodings). Does it mean it is safe?

I have also checked the network tab of the browser, no other relative JS files are loaded except favicon and magnific popup.

Finally, the URL is in the form of site.com/admin/login/?param=value