The vulnerability CVE-2025-48107 in undsgn Uncode is a reflected cross-site scripting (XSS) issue caused by improper input neutralization during web page generation. It affects Uncode versions before 2.9.4.4. The CVSS 3.1 base score is 7.1, indicating a high severity with network attack vector, low attack complexity, no privileges required, user interaction required, and scope changed. The impact includes low confidentiality and integrity loss and low availability impact. There is no vendor advisory or patch information provided, and no known exploits have been reported.

Successful exploitation of this vulnerability could allow an attacker to execute arbitrary scripts in the context of a user's browser, potentially leading to theft of sensitive information, session hijacking, or other malicious actions affecting confidentiality, integrity, and availability at a low level. The scope of impact is changed, meaning the vulnerability affects resources beyond the initially vulnerable component.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should consider applying web application firewall (WAF) rules to detect and block reflected XSS attempts and educate users to avoid clicking suspicious links. Monitor vendor channels for updates and patches.