A reflected cross-site scripting (XSS) vulnerability was found in the Eclipse BIRT Report Viewer. Specifically, the __format parameter is not sufficiently sanitized, allowing JavaScript to be inserted in the URL. A remote attacker can exploit this flaw to execute JavaScript code within the context of the affected user.