Description
A reflected cross-site scripted (XSS) vulnerability in the acc-menu_papers.php component of GmbH Mecury Managed Print Services (docuForm) v11.11c allows attackers to execute arbitrary Javascript in the context of a user's browser via injecting a crafted payload into an unfiltered variable value.
Published: 2026-05-11
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The reported issue is a reflected cross‑site scripting flaw in the acc‑menu_papers.php component of docuForm version 11.11c. An attacker can inject malicious JavaScript into an unfiltered variable value that is later rendered back to the user’s browser. This allows arbitrary script execution in the victim’s context, potentially enabling cookie theft, session hijacking, defacement, or the execution of any other browser‑based attack.

Affected Systems

The flaw is limited to the GmbH Mecury Managed Print Services docuForm application, specifically version 11.11c. No other versions or vendor products are identified in the advisory. Administrators should verify that their deployed instance matches this version before taking action.

Risk and Exploitability

No EPSS score is published, and the vulnerability is not listed in the CISA KEV catalog. The CVSS score of 6.1 indicates moderate severity, but the nature of a reflected XSS means it can be triggered by any user who visits a crafted URL or interacts with the affected module, without authentication. The low complexity of the exploitation, combined with the broad impact on all users of the affected component, places this vulnerability in a moderate risk category for environments where the application is publicly accessible.

Generated by OpenCVE AI on May 11, 2026 at 21:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade docuForm to a version that contains the fix for the acc‑menu_papers.php XSS issue.
  • Sanitize or encode all user‑supplied input in the acc‑menu_papers.php component before rendering it.
  • Deploy a web application firewall rule that blocks common XSS payloads or pattern matches in the acc‑menu_papers.php requests.

Generated by OpenCVE AI on May 11, 2026 at 21:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Docuform
Docuform docuform
Vendors & Products Docuform
Docuform docuform

Mon, 11 May 2026 21:30:00 +0000

Type Values Removed Values Added
Title Reflected XSS in docuForm acc-menu_papers.php

Mon, 11 May 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 11 May 2026 17:00:00 +0000

Type Values Removed Values Added
Title Reflected XSS in docuForm acc-menu_papers.php
Weaknesses CWE-79

Mon, 11 May 2026 15:30:00 +0000

Type Values Removed Values Added
Description A reflected cross-site scripted (XSS) vulnerability in the acc-menu_papers.php component of GmbH Mecury Managed Print Services (docuForm) v11.11c allows attackers to execute arbitrary Javascript in the context of a user's browser via injecting a crafted payload into an unfiltered variable value.
References

Subscriptions

Docuform Docuform
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-11T18:47:11.524Z

Reserved: 2025-09-26T00:00:00.000Z

Link: CVE-2025-61307

cve-icon Vulnrichment

Updated: 2026-05-11T18:47:07.397Z

cve-icon NVD

Status : Deferred

Published: 2026-05-11T16:17:27.983

Modified: 2026-05-12T15:05:31.120

Link: CVE-2025-61307

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T09:24:00Z

Weaknesses