This vulnerability (CVE-2026-56045) affects ValvePress Automatic versions before 3.135.1 and involves improper input sanitization leading to cross-site scripting (XSS). The flaw allows unauthenticated attackers to inject malicious scripts that can execute in the context of the victim's browser, potentially leading to partial confidentiality, integrity, and availability impacts. The CVSS 3.1 base score is 7.1, reflecting network attack vector, low attack complexity, no privileges required, user interaction required, and a scope change with low impact on confidentiality, integrity, and availability. No vendor advisory or patch information is currently available, and no known exploits in the wild have been reported.

Successful exploitation can lead to execution of arbitrary scripts in the victim's browser, potentially resulting in partial disclosure of information, modification of data, or disruption of service within the affected application context. The vulnerability affects confidentiality, integrity, and availability to a limited extent as indicated by the CVSS vector.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, consider applying input validation or output encoding workarounds if feasible. Monitor vendor communications for updates on patches or official mitigations.