I hope it's gonna be a fortinet zeroday, I'd like to se De Niro do /../ and then bypass the fix with /..;/

The question I often face handling that kind of bugs is weather having to target a specific user (admin) with social engineering would make the attack complexity High or is User interaction "required" enough here to have a realistic CVSS score.

In my opinion PR is None as it is a relfected XSS, the attacker does not need privileges to craft the payload and send it to an admin.