A reflected cross‑site scripting vulnerability exists in the dfm‑menu_markeralerts.php component of GmbH Mecury Managed Print Services (docuForm) version 11.11c. An attacker can inject a crafted payload into an unfiltered variable value that is echoed back in the HTTP response, causing the victim’s browser to execute arbitrary JavaScript code in the context of the application. This can enable attackers to perform actions such as cookie theft, session hijacking, or phishing. While the description does not detail all possible consequences, the ability to run arbitrary script constitutes a serious client‑side integrity breach.

The affected product is GmbH Mecury Managed Print Services (docuForm) version 11.11c, specifically the dfm‑menu_markeralerts.php code path. No other versions or components are listed as impacted.

A classic reflected XSS (CWE‑79) means an attacker can trigger execution by clicking a crafted link or submitting a malicious request. The CVSS score of 7.3 indicates a substantial impact; EPSS data is unavailable and the vulnerability is not listed in CISA KEV, so the exact exploitation probability remains unclear, but reflected XSS is a known high‑impact vector for client‑side code execution. The risk remains moderate to high for users who interact with the exposed component, especially when it is publicly reachable or when sessions are shared.