CVE-2025-31029 describes a Stored Cross-site Scripting (XSS) vulnerability in bingu replyMail (versions ≤ 1.2.0). The issue is due to improper neutralization of input during web page generation, which allows attackers to inject malicious scripts that are stored and later executed in the context of users' browsers. The CVSS v3.1 base score is 7.1, reflecting network attack vector, low attack complexity, no privileges required, user interaction required, scope changed, and low impact on confidentiality, integrity, and availability.

Successful exploitation of this vulnerability could allow an attacker to execute arbitrary scripts in the context of the affected application, potentially leading to information disclosure, modification of data, or disruption of service. The CVSS score indicates a high severity with partial impact on confidentiality, integrity, and availability. However, no known exploits have been reported in the wild.

No official patch or remediation is currently available for this vulnerability. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until a fix is released, users should exercise caution with untrusted input and consider implementing web application firewall rules or input sanitization as temporary mitigations.