CVE-2025-61314
Reflected XSS in docuForm Mercury Managed Print Services
Publication date: 2026-05-11
Last updated on: 2026-05-11
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gmbh_mecury | docuform | to 11.11c (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-61314 is a cross-site scripting (XSS) vulnerability in the dfm-menu_orderopt.php component of GmbH Mecury Managed Print Services (docuForm) version 11.11c.
This vulnerability allows attackers to inject arbitrary JavaScript code by exploiting improper neutralization of user-controllable input. The injected code can be executed in the context of a user's browser.
Specifically, authenticated attackers can inject malicious scripts that are stored and later executed when other users load the affected page.
How can this vulnerability impact me? :
The vulnerability can lead to serious security impacts including:
- Theft of sensitive session data from users.
- Unauthorized account takeover by attackers.
- Unintended actions performed on behalf of victims without their consent.
What immediate steps should I take to mitigate this vulnerability?
The vendor has acknowledged the issue and released a fix in November 2025. The immediate step to mitigate this vulnerability is to apply the vendor's patch or update to docuForm FSM Server version 11.11c that addresses the XSS vulnerability in the dfm-menu_orderopt.php component.