A reflected cross‑site scripting vulnerability was discovered in the dfm‑menu_departments.php component of GmbH Mecury Managed Print Services (docuForm) version 11.11c. The flaw results from an unfiltered variable value being returned directly to the client, enabling an attacker to inject arbitrary JavaScript. If an affected user visits a crafted URL or otherwise provides the malicious input, the script executes in the browser, potentially compromising session credentials, defacing pages or performing actions on the user’s behalf.

The vulnerability affects the GmbH Mecury Managed Print Services product, specifically the docuForm management application version 11.11c. It appears in the dfm‑menu_departments.php code path and has not been reported in earlier releases. Users running this version on internal networks or exposing the application to customers are at risk.

The flaw is client‑side and does not require authentication; an attacker can supply a malicious payload in a URL or form field that is reflected back to the user. According to the CVSS score of 6.1, the vulnerability presents a moderate severity risk. The lack of EPSS data means the precise exploitation probability is unknown, but reflected XSS is generally straightforward to deploy via phishing or compromised content. The vulnerability is not listed in the CISA KEV catalog, indicating no confirmed public exploitation yet, yet the impact on confidentiality, integrity and availability of user sessions can be significant.