The vulnerability CVE-2026-28112 affects LambertGroup's AllInOne - Banner Rotator plugin (versions ≤ 3.8) and is classified as a reflected cross-site scripting (XSS) flaw. It results from improper input neutralization during web page generation, enabling attackers to inject and execute arbitrary scripts in users' browsers. The CVSS 3.1 base score is 7.1, indicating high severity, with network attack vector, low attack complexity, no privileges required, user interaction needed, and impacts on confidentiality, integrity, and availability at a low level. There is no information about an available patch or official vendor remediation.

Successful exploitation of this reflected XSS vulnerability could allow an attacker to execute arbitrary scripts in the context of a victim's browser session when they visit a crafted URL or page. This can lead to limited disclosure of information, modification of data, or disruption of service within the scope of the affected application. The CVSS vector indicates low complexity and no privileges required, but user interaction is necessary. There are no known exploits in the wild at this time.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should consider applying input validation or output encoding workarounds if feasible. Monitor official LambertGroup communications for updates regarding patches or mitigations.