CVE-2025-61312
Reflected XSS in Mecury Managed Print Services docuForm
Publication date: 2026-05-11
Last updated on: 2026-05-11
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gmbh_mecury | docuform | 11.11c |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-61312 is a cross-site scripting (XSS) vulnerability in the acc-menu_pricess.php component of GmbH Mecury Managed Print Services (docuForm) version 11.11c. It allows attackers to inject arbitrary JavaScript code by exploiting improper neutralization of user-controllable input. This injected code can then be executed in the context of a user's browser.
Specifically, an authenticated attacker can inject malicious scripts that are stored by the application and later rendered unsafely in other users' browsers, leading to potential security risks.
How can this vulnerability impact me? :
This vulnerability can have serious impacts including session hijacking, theft of sensitive data, unauthorized account takeover, and performing unintended actions on behalf of victims.
Because the malicious JavaScript runs in the context of other users' browsers, attackers can steal cookies, credentials, or other sensitive information, compromising user accounts and data security.
What immediate steps should I take to mitigate this vulnerability?
The vendor has acknowledged the vulnerability and released a fix in November 2025. The immediate step to mitigate this vulnerability is to apply the vendor's patch or update for docuForm FSM Server version 11.11c that addresses the XSS issue in the acc-menu_pricess.php component.
Additionally, as a general best practice, you should ensure proper input validation and output encoding to prevent injection of malicious scripts.