This vulnerability in Basix NEX-Forms (<= 9.1.7) involves improper sanitization of user input when generating web pages, leading to Stored Cross-site Scripting (XSS). An attacker can inject malicious scripts that persist in the application and execute in the context of other users' browsers. The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L) reflects that the attack can be performed remotely with low complexity, requires no privileges but does require user interaction, and can result in partial confidentiality, integrity, and availability impacts.

Successful exploitation can lead to execution of arbitrary scripts in users' browsers, potentially resulting in theft of sensitive information, session hijacking, or other malicious actions impacting confidentiality, integrity, and availability. The vulnerability affects all users of the vulnerable NEX-Forms versions and can compromise user data and application trustworthiness. No known exploits in the wild have been reported so far.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should consider disabling or limiting the use of vulnerable NEX-Forms versions and applying web application firewall (WAF) rules to detect and block XSS payloads. Monitor vendor channels for updates and apply patches promptly once released.