A cross-site scripting vulnerability exists in versions of Apache Isis prior to 2.0.0-M9, which stems from input strings that are not properly escaped when rendered. An attacker could exploit this vulnerability to cause a cross-site scripting attack.