The gist is that sending a POST request to the /send_email endpoint with two parameters, name and email, will cause the system to send an email through an SMTP server to the email address specified with the name attached. To get the flag, the email needs to be set to email@example.com - the problem is, if that’s the email, then we will never see the flag since we don’t own that email.
Upon closer inspection, one line stands out - mail['To'] = name + ' <' + email_address + '>'. The name and email_address parameters are piped directly into “To” SMTP header, and the only validation on name is no newlines (/n, /r). This means we can insert a name such as Test <firstname.lastname@example.org> and then the email as email@example.com, making the “To” line Test <firstname.lastname@example.org> <email@example.com>. This will send the email to us, but the email parameter will still give us the flag.