The vulnerability identified as CVE-2026-28130 affects AndonDesign UDesign (up to version 4.14.0) and is classified as a reflected cross-site scripting (XSS) flaw. It results from improper neutralization of input during web page generation, which can lead to execution of attacker-controlled scripts in the victim's browser. The CVSS 3.1 base score is 7.1, with vector AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L, indicating network attack vector, low attack complexity, no privileges required, user interaction required, scope changed, and low impact on confidentiality, integrity, and availability. No patch or vendor advisory information is provided, and no exploits are known in the wild.

Successful exploitation of this vulnerability could allow an attacker to execute arbitrary scripts in the context of a user's browser, potentially leading to information disclosure, modification of data, or disruption of service. The CVSS vector indicates that the attack can be launched remotely without privileges but requires user interaction. The scope change suggests that the vulnerability affects components beyond the initially vulnerable component. However, no known exploits have been reported.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should consider applying web application firewall (WAF) rules to detect and block reflected XSS attempts and educate users to avoid clicking on suspicious links. Monitor vendor channels for updates regarding patches or official mitigations.