A reflected cross‑site scripting flaw allows an attacker to inject malicious script into the response returned by DSpace JSPUI 6.5 when a user submits a specially crafted search query. The vulnerability arises from the lack of proper sanitization of the filter_type_1 parameter, causing any input containing script code to be rendered by the browser and executed in the context of the authenticated or non‑authenticated user’s session. This could enable attackers to steal session cookies, perform account takeover, or deface the application.

The affected product is DSpace JSPUI version 6.5. No other vendor or product variants are listed. Users running this version of the JSP user interface should review the impact on their installations.

The vulnerability is of moderate to high risk because it is easily triggerable via a URL and does not require privileged access. While no CVSS score or EPSS value is supplied, the existence of a reflected XSS suggests a potential for widespread exploitation through phishing or compromised search queries. The flaw is not listed in the CISA KEV catalog, indicating no confirmed exploitation yet, but the risk remains inherent to the vulnerability’s nature. Potential attackers could simply craft a malicious link to a DSpace search page containing a forbidden filter_type_1 value and distribute it to users. Given the lack of an official patch, the risk persists until mitigation steps are applied.