Google explains JavaScript execution on non-200 HTTP status codes

Google noted that if the HTTP status code is non-200 (for example, on error pages with 404 status code), rendering might be skipped.
SecurityWeek

Ivanti EPM Update Patches Critical Remote Code Execution Flaw

A critical Ivanti EPM vulnerability could allow unauthenticated attackers to execute arbitrary code remotely with ...