CVE-2026-6956
Reflected Cross-Site Scripting in ATutor Installer
Publication date: 2026-05-11
Last updated on: 2026-05-11
Assigner: CERT.PL
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| atutor | atutor | From 2.2.4 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-79 | The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-6956 is a Reflected Cross-Site Scripting (XSS) vulnerability found in the ATutor software, specifically in the /install/install.php endpoint.
An attacker can create a specially crafted URL that, when opened by a victim, causes arbitrary JavaScript code to execute in the victim's browser. This happens because the input is not properly neutralized during the web page generation.
Only ATutor version 2.2.4 was tested and confirmed vulnerable, but other versions might also be affected. The product is no longer actively supported.
How can this vulnerability impact me? :
This vulnerability allows an attacker to execute arbitrary JavaScript in the browser of anyone who opens the malicious URL.
- It can lead to theft of sensitive information such as cookies, session tokens, or other private data accessible via the browser.
- Attackers could perform actions on behalf of the victim within the context of the vulnerable site.
- It may facilitate further attacks like phishing, spreading malware, or defacing the website.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for the presence of the vulnerable endpoint /install/install.php in ATutor version 2.2.4 or possibly other versions.
One way to detect it is by sending crafted HTTP requests to the /install/install.php endpoint and observing if the response reflects input without proper neutralization, which could indicate susceptibility to reflected XSS.
For example, you can use curl or similar tools to test the endpoint:
- curl -i "http://target-site/install/install.php?input=<script>alert(1)</script>"
If the response contains the injected script tag without encoding or sanitization, the system is vulnerable.
Additionally, network monitoring tools can be used to detect suspicious URLs containing script tags or unusual parameters targeting /install/install.php.
What immediate steps should I take to mitigate this vulnerability?
Since ATutor is no longer actively supported and the vulnerability exists in the /install/install.php endpoint, immediate mitigation steps include:
- Restrict or disable access to the /install/install.php endpoint if it is not needed.
- Implement web application firewall (WAF) rules to block requests containing suspicious script tags or payloads targeting this endpoint.
- Educate users to avoid clicking on suspicious or untrusted URLs that may exploit this reflected XSS vulnerability.
- Consider isolating or removing the vulnerable version 2.2.4 installation if possible.
Since no patch or update is available due to lack of active support, these steps help reduce exposure and risk.