CVE-2025-61312
Received Received - Intake

Reflected XSS in Mecury Managed Print Services docuForm

Vulnerability report for CVE-2025-61312, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-05-11

Last updated on: 2026-05-11

Assigner: MITRE

Description

A reflected cross-site scripted (XSS) vulnerability in the acc-menu_pricess.php component of GmbH Mecury Managed Print Services (docuForm) v11.11c allows attackers to execute arbitrary Javascript in the context of a user's browser via injecting a crafted payload into an unfiltered variable value.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-05-11
Last Modified
2026-05-11
Generated
2026-07-11
AI Q&A
2026-05-11
EPSS Evaluated
2026-07-09
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
gmbh_mecury docuform 11.11c

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The reflected cross-site scripting (XSS) vulnerability in docuForm FSM Server version 11.11c allows attackers to execute arbitrary JavaScript in users' browsers, which can lead to session hijacking, theft of sensitive data, unauthorized account takeover, or unintended actions on behalf of victims.

Such security weaknesses can impact compliance with common standards and regulations like GDPR and HIPAA, as these frameworks require protection of personal and sensitive data against unauthorized access and breaches.

Failure to address this vulnerability could result in exposure of sensitive user information, potentially leading to violations of data protection requirements and regulatory penalties.

Executive Summary

CVE-2025-61312 is a cross-site scripting (XSS) vulnerability in the acc-menu_pricess.php component of GmbH Mecury Managed Print Services (docuForm) version 11.11c. It allows attackers to inject arbitrary JavaScript code by exploiting improper neutralization of user-controllable input. This injected code can then be executed in the context of a user's browser.

Specifically, an authenticated attacker can inject malicious scripts that are stored by the application and later rendered unsafely in other users' browsers, leading to potential security risks.

Impact Analysis

This vulnerability can have serious impacts including session hijacking, theft of sensitive data, unauthorized account takeover, and performing unintended actions on behalf of victims.

Because the malicious JavaScript runs in the context of other users' browsers, attackers can steal cookies, credentials, or other sensitive information, compromising user accounts and data security.

Mitigation Strategies

The vendor has acknowledged the vulnerability and released a fix in November 2025. The immediate step to mitigate this vulnerability is to apply the vendor's patch or update for docuForm FSM Server version 11.11c that addresses the XSS issue in the acc-menu_pricess.php component.

Additionally, as a general best practice, you should ensure proper input validation and output encoding to prevent injection of malicious scripts.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-61312. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart