A reflected XSS vulnerability occurs when user input is directly reflected (e.g. loaded from request URL query string on browser) onto the webpage that the user sees without sanitized. This could be exploited when a user clicks on a malicious link or otherwise submit a request with unintended effects (i.e. change account password to XXX, send session token to a external website).