This vulnerability originates from improper neutralization of input during web page generation in the Site Launcher plugin. A malicious actor can embed script content into reflected parameters, causing the plugin to render the payload in the page. When users visit the crafted URL, the script runs in the context of the site, potentially allowing attackers to steal session cookies, manipulate page content, or redirect users to phishing sites. The weakness is classified as CWE‑79, a classic reflected XSS flaw.

The affected product is the Site Launcher plugin developed by saill. All releases from the earliest version up through 0.9.4 are vulnerable, meaning any installation of 0.9.4 or earlier is at risk. No other vendors or products are listed as impacted.

The CVSS score of 7.1 indicates moderate severity, while the EPSS score of less than 1% reflects a low probability of widespread exploitation at this time. The vulnerability is not catalogued in the CISA KEV list. Exploitation would likely proceed via a crafted URL that includes malicious script payloads, which is easily reproducible by attackers with minimal resources. If successful, the impact would be limited to browsers of visitors who click the link, but the damage can be significant for sites with high traffic, including credential theft and user defacement.