So i found a website(lets call it example.com)with a search bar that is not properly sanitized. I was able to pop a alert box with a payload.But i noticed that the URL doesn't change for valid or invalid search query .It always remains www.example.com/search . No query string is being send when i search anything . In other word i cannot pop a alert box on someone else browser by sending them a infected link because URL always remains www.example.com/search.My attacks are only limited to my browser only .
So is this a vulnerability?