A cross‑site scripting flaw exists in Key Systems Inc Global Facilities Management Software version 20230721a. The vulnerability resides in a function that accepts user‑supplied parameters without adequate input validation or output encoding. An attacker can supply crafted input to inject malicious scripts, which are subsequently executed in the context of the application, leading to arbitrary code execution, credential theft, session hijacking, or further compromise of the underlying system. The flaw is identified as CWE‑79, a classic reflected or stored XSS weakness.

The software product affected is Key Systems Inc Global Facilities Management Software, specifically the 20230721a release. No other vendors or versions are currently listed as impacted.

The vulnerability scores a CVSS of 8.2, indicating a high severity potential. The EPSS score is below 1 percent, suggesting that the overall exploitation probability is currently low, and the vulnerability is not present in the CISA KEV catalog. The likely attack vector is remote, through a web interface or API that accepts the vulnerable function parameter. If an attacker can inject a malicious payload, they may gain arbitrary code execution on the host machine or compromise other users. While the current exploitation likelihood is low, the high impact warrants prompt attention. Applying a patch or mitigation is advised.