This vulnerability (CVE-2026-5783) in CityPLus is caused by improper input sanitization during web page generation, leading to reflected cross-site scripting (CWE-79). An attacker can craft malicious input that is reflected in the web page response without proper neutralization, potentially enabling script execution in the context of the victim's browser. The vulnerability affects versions prior to V24.29750.1.0. The CVSS v3.1 base score is 7.6, indicating high severity, with network attack vector, low attack complexity, no privileges required, user interaction required, and impacts on confidentiality, integrity, and high impact on availability. No patch or official remediation has been disclosed by the vendor as of the published date.

Successful exploitation of this reflected XSS vulnerability could allow an attacker to execute arbitrary scripts in the context of the affected web application, potentially leading to information disclosure (confidentiality impact), modification of data (integrity impact), and disruption of service (availability impact). However, no known exploits have been reported in the wild.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should exercise caution with untrusted input and consider implementing web application firewall (WAF) rules or input validation as temporary mitigations. Monitor vendor communications for updates on patches or official mitigations.