This vulnerability in Popup Builder involves CWE-79, where user input is not properly sanitized before being included in web pages, enabling stored XSS attacks. An attacker with low privileges can inject malicious scripts that execute in the context of other users, potentially leading to data theft, session hijacking, or other impacts. The CVSS vector indicates network attack vector, low attack complexity, low privileges required, and user interaction needed, with scope changed and partial impacts on confidentiality, integrity, and availability. No patch or official remediation level has been published, and the product is not a cloud service, so remediation depends on vendor updates.

Successful exploitation can lead to execution of arbitrary scripts in users' browsers, potentially compromising user data, session tokens, or causing other malicious actions within the affected web application context. The vulnerability affects confidentiality, integrity, and availability to a limited extent as indicated by the CVSS vector. There are no known active exploits reported.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, users should apply standard XSS mitigations such as input validation and output encoding where possible. Monitor vendor channels for updates and apply patches promptly once available.