The vulnerability is an instance of improper neutralization of user input during web page generation, resulting in a Cross‑Site Scripting (XSS) flaw in the AT Internet Piano Analytics module for Drupal. The flaw allows an attacker to inject arbitrary client‑side code that will execute when the affected content is rendered in a user’s browser. No explicit downstream consequences such as credential theft or session hijacking are documented in the official description, so the exact impact depends on how the module reflects user supplied data to page output.

Drupal AT Internet Piano Analytics versions prior to 1.0.1 (from 0.0.0 up to, but not including, 1.0.1) and prior to 2.3.1 (from 2.0.0 up to, but not including, 2.3.1) are affected. The vulnerability applies to the module as deployed on any Drupal site that uses these versions.

The CVSS base score of 4.8 indicates a moderate severity, and the EPSS score of less than 1% signifies a low probability of exploitation in the wild. The vulnerability is not listed in the CISA KEV catalog. The attack vector is not explicitly defined in the advisory; based on the nature of XSS, it is inferred that an attacker could exploit the flaw by submitting malicious input through a form field or by manipulating a URL parameter that is subsequently rendered, but such conditions are not specified in the official text.