CVE-2025-61313
Received Received - Intake

Reflected XSS in docuForm Mercury Managed Print Services

Vulnerability report for CVE-2025-61313, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-05-11

Last updated on: 2026-05-11

Assigner: MITRE

Description

A reflected cross-site scripted (XSS) vulnerability in the dfm-menu_markeralerts.php component of GmbH Mecury Managed Print Services (docuForm) v11.11c allows attackers to execute arbitrary Javascript in the context of a user's browser via injecting a crafted payload into an unfiltered variable value.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-05-11
Last Modified
2026-05-11
Generated
2026-07-11
AI Q&A
2026-05-11
EPSS Evaluated
2026-07-09
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
gmbh_mecury docuform 11.11c
gmbh_mecury docuform_fsm_server 11.11c

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2025-61313 is a stored cross-site scripting (XSS) vulnerability in the dfm-menu_markeralerts.php component of GmbH Mecury Managed Print Services (docuForm) FSM Server version 11.11c.

The vulnerability arises from improper neutralization of user-controllable input, allowing an authenticated attacker to inject arbitrary JavaScript code that is stored and later rendered unsafely in other users' browsers.

Compliance Impact

The vulnerability allows attackers to execute arbitrary JavaScript in users' browsers, potentially leading to theft of sensitive session data and unauthorized account takeover.

Such unauthorized access and data exposure can result in non-compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access and breaches.

Impact Analysis

This vulnerability can lead to the theft of sensitive session data, unauthorized account takeover, or unintended actions performed on behalf of victims.

Because the injected JavaScript runs in the context of other users' browsers, attackers can exploit this to compromise user accounts and data.

Mitigation Strategies

The vulnerability in the dfm-menu_markeralerts.php component of docuForm FSM Server version 11.11c was fixed by the vendor in November 2025.

Immediate mitigation steps include applying the vendor's patch or update that addresses this XSS vulnerability.

Additionally, consider restricting access to the affected component to authenticated and trusted users only, and monitor for suspicious activity related to script injection attempts.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-61313. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart