It is possible for an attacker to control src attribute of HTML img tag. It may execute JavaScript and lead to a Cross-site Scripting (XSS) vulnerability.

If there is also an XSS for the same injection point, it will be reported as separate.