The issue is XSS, i.e. you can place arbitrary HTML such that it appears
to originate from the Overpass server by sending a crafted request to
the server. No personal data has been leaked because Overpass servers do
not process any. No attack in the wild is known so far. Details will
follow in a couple of days.
I would like to thank the people that have reported the vulnerability.