A security researcher reported a reflected cross-site scripting (XSS) issue on PUBG’s main site. At first glance it was the classic “reflected XSS” story(751870): a URL parameter was echoed into a page without proper escaping, and a crafted link could make a victim’s browser execute attacker-supplied JavaScript. But that simple description understates two important facts every web engineer and bug hunter should remember:

1. Reflected XSS bugs are low-friction for attackers a single crafted link sent via chat, social media, or email is enough.
2. The impact depends on the surrounding application: authentication, available actions, and what JavaScript can access.

Below I’ll walk through the vulnerability in plain language, explain why it matters, show safe verification practices (no exploit code), and give concrete mitigation and detection guidance for engineers and bug hunters.

Summary

• Target: https://www.pubg.com
• Vulnerability class: Reflected Cross-Site Scripting
• Root cause: A GET parameter (p) was echoed into a page without adequate sanitization/escaping.