The vulnerability is a Cross‑Site Scripting flaw that appears on the "Task in Progress / Recent" page of Arket Globe Document Intelligence version 5.0.0.559. When an authenticated user creates a new document, text fields are not properly sanitized or escaped, allowing an attacker to inject JavaScript code. When other users subsequently view the affected page, the browser executes the malicious script in the context of those users, potentially enabling theft of session cookies, credential hijacking, or other malicious client‑side actions. The weakness corresponds to the CWE‑79 defect model for untrusted input used in client‑side rendering.

Arket Globe Document Intelligence 5.0.0.559 is the only product identified as affected. No additional vendor or product variants are listed.

The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, indicating no known widespread exploitation yet. The impact is limited to client browsers and requires that the attacker be authenticated to create the malicious document, but once injected, any user who views the page can be compromised. Without a public patch, the exploitation vector remains an internal authenticated user injecting payloads that are later rendered for other users. The CVSS score of 6.3 indicates medium severity, while the EPSS is not available and the vulnerability is not listed in CISA KEV, indicating no known widespread exploitation yet.