Reported here: https://www.phpbb.com/community/viewtopic.php?f=556&t=2509771

I've only tested 14 successive reset emails, presumably there is no limit?

If someone knows the username and email address  a user has used to register at xyz.com they can use xyz.com to flood their email box. Other potential issues is someone using it against the site., they could be flagged as spammer with so many emails going to same address. Yet another issue is when outgoing emails are limited which is common on shared hosting they could effectively shut down registration/notifications/password resets of legitimate users.

--edit--

As pointed out in the topic one could use the "send reactivation" link to flood someone's email box even if they never registered.