Description
A reflected cross-site scripted (XSS) vulnerability in the acc-menu_billings.php component of GmbH Mecury Managed Print Services (docuForm) v11.11c allows attackers to execute arbitrary Javascript in the context of a user's browser via injecting a crafted payload into an unfiltered variable value.
Published: 2026-05-11
Score: 6.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a reflected cross‑site scripting flaw in acc-menu_billings.php of docuForm (GmbH Mecury Managed Print Services) version 11.11c. It allows attackers to execute arbitrary JavaScript in the context of a victim’s browser by injecting a crafted payload into an unfiltered variable value. Because the payload runs with the privileges of the authenticated user, an attacker could hijack sessions, steal cookies, or perform other malicious actions. This flaw corresponds to CWE‑79.

Affected Systems

The affected systems are the docuForm Managed Print Services application from GmbH Mecury, specifically version 11.11c. Users of this version who can access the acc-menu_billings.php component are vulnerable to the reflected XSS attack.

Risk and Exploitability

The CVSS score is 6.1 and the EPSS score is not listed, nor is the vulnerability in the KEV catalog. Nevertheless, reflected XSS is typically considered high risk, especially in a management platform where authenticated users rely on the software. Based on the description, it is inferred that the attack vector is a victim clicking a crafted URL or viewing a page that includes the malicious payload. Exploit requires no special privileges beyond user access and would result in client‑side JavaScript execution with the potential to hijack user sessions, steal sensitive information, or deface the site.

Generated by OpenCVE AI on May 11, 2026 at 20:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor's latest patch or upgrade to a fixed version of docuForm.
  • Ensure all user‑supplied data that is reflected in output is properly encoded or escaped for the browser context, following CWE‑79 guidelines.
  • Deploy a restrictive Content Security Policy that blocks inline scripts and limits script sources to trusted domains.

Generated by OpenCVE AI on May 11, 2026 at 20:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Docuform
Docuform docuform
Vendors & Products Docuform
Docuform docuform

Mon, 11 May 2026 21:00:00 +0000

Type Values Removed Values Added
Title Reflected XSS in docuForm acc-menu_billings.php

Mon, 11 May 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 11 May 2026 17:30:00 +0000

Type Values Removed Values Added
Title Reflected XSS in docuForm acc-menu_billings.php
Weaknesses CWE-79

Mon, 11 May 2026 15:30:00 +0000

Type Values Removed Values Added
Description A reflected cross-site scripted (XSS) vulnerability in the acc-menu_billings.php component of GmbH Mecury Managed Print Services (docuForm) v11.11c allows attackers to execute arbitrary Javascript in the context of a user's browser via injecting a crafted payload into an unfiltered variable value.
References

Subscriptions

Docuform Docuform
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-11T18:49:48.478Z

Reserved: 2025-09-26T00:00:00.000Z

Link: CVE-2025-61310

cve-icon Vulnrichment

Updated: 2026-05-11T18:49:43.995Z

cve-icon NVD

Status : Deferred

Published: 2026-05-11T16:17:28.317

Modified: 2026-05-12T15:05:31.120

Link: CVE-2025-61310

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T09:23:56Z

Weaknesses