The vulnerability is an improper neutralization of input during web page generation that permits a reflected cross‑site scripting (XSS) attack. An attacker can embed malicious scripts that are executed in the browsers of users who view impacted pages. This can lead to theft of session cookies, defacement of the site, and redirection to malicious sites, compromising the confidentiality and integrity of authenticated sessions and the availability of the web interaction for legitimate users.

Vendors and products affected are Singsys and its Singsys –Awesome Gallery plugin. All releases from the start of the product up to and including version 1.0 are vulnerable. Users running any of these versions should be aware that the plugin accepts unsanitized input that is reflected back in the page output.

The CVSS score of 7.1 marks this as a high‑severity flaw, yet the EPSS score is below 1%, indicating a low probability of widespread exploitation at present. The flaw is not listed in CISA’s KEV catalog. Attackers can exploit the vulnerability by crafting a malicious URL or form submission that includes unescaped user input, which is then displayed by the gallery page. The attack vector is a remote web page and requires an attacker to lure a victim to the affected URL. Once the victim loads the page, the injected script executes in the victim’s browser context.