Description
A reflected cross-site scripted (XSS) vulnerability in the dfm-menu_firmware.php component of GmbH Mecury Managed Print Services (docuForm) v11.11c allows attackers to execute arbitrary Javascript in the context of a user's browser via injecting a crafted payload into an unfiltered variable value.
Published: 2026-05-11
Score: 6.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A reflected cross‑site scripting vulnerability exists in the dfm-menu_firmware.php component of GmbH Mecury Managed Print Services (docuForm). The flaw allows an attacker to inject a crafted payload into an unfiltered variable value, which is then reflected back into the browser response, enabling arbitrary Javascript execution in the context of the victim’s session. This could be used for session hijacking, defacement, or delivery of malicious scripts to the user.

Affected Systems

Affected is docuForm version 11.11c, the firmware menu component. No other vendors, products or versions are listed.

Risk and Exploitability

The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog, indicating no publicly reported exploitation yet. The CVSS score of 6.1 indicates medium severity. Reflected XSS remains a medium severity risk because it can be triggered by a user visiting a crafted URL or interacting with a malicious link. Attackers would need to lure the target to a page containing the malicious payload or exploit it via social engineering.

Generated by OpenCVE AI on May 11, 2026 at 21:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a version of docuForm that contains the fix for the dfm-menu_firmware.php XSS issue
  • If an immediate upgrade is not possible, implement input sanitization or output escaping for the vulnerable variable before it is rendered
  • Deploy a content security policy that restricts inline script execution to mitigate the impact of any remaining reflected XSS

Generated by OpenCVE AI on May 11, 2026 at 21:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 11 May 2026 21:30:00 +0000

Type Values Removed Values Added
Title Reflected XSS in docuForm Firmware Menu Allows Remote Script Execution

Mon, 11 May 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 11 May 2026 18:15:00 +0000

Type Values Removed Values Added
Title Reflected XSS in docuForm Firmware Menu Allows Remote Script Execution
Weaknesses CWE-79

Mon, 11 May 2026 15:30:00 +0000

Type Values Removed Values Added
Description A reflected cross-site scripted (XSS) vulnerability in the dfm-menu_firmware.php component of GmbH Mecury Managed Print Services (docuForm) v11.11c allows attackers to execute arbitrary Javascript in the context of a user's browser via injecting a crafted payload into an unfiltered variable value.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-11T18:44:18.389Z

Reserved: 2025-09-26T00:00:00.000Z

Link: CVE-2025-61305

cve-icon Vulnrichment

Updated: 2026-05-11T18:43:42.432Z

cve-icon NVD

Status : Received

Published: 2026-05-11T16:17:27.703

Modified: 2026-05-11T20:23:28.943

Link: CVE-2025-61305

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T21:15:46Z

Weaknesses