XSS on error page

While I was looking for Business Logic Flaws on this target, I wondered what the response would be if I provided the wrong credentials.

When I entered the wrong credential, an error page appeared along with a message "Invalid Username/Password" The URL looked like : https://example.com/login?errorCd=views.login.email.password.required So I tampered the parameter to XSS payloads. However, the payloads were not executing.

I then tried SSTI payloads and one of them got executed. The final PoC link looked like: https://example.com/login?errorCd={{2*2}} and the error message displayed "4"

I reported it under Client Side Template Injection but later it was categorized by the triager as XSS 🤷‍♂️.