Description
A reflected cross-site scripted (XSS) vulnerability in the dfm-menu_orderopt.php component of GmbH Mecury Managed Print Services (docuForm) v11.11c allows attackers to execute arbitrary Javascript in the context of a user's browser via injecting a crafted payload into an unfiltered variable value.
Published: 2026-05-11
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The CVE is a reflected cross‑site scripting flaw in the dfm-menu_orderopt.php component of docuForm v11.11c. An attacker can supply a crafted payload that is reflected by the application into a browser without any filtering. If a user accesses the affected page, the browser will execute the malicious JavaScript within the context of that user’s session, enabling credential theft, session hijacking, or other client‑side attacks. The weakness is an unvalidated input that is rendered directly into the page, which matches the classic XSS vulnerability profile.

Affected Systems

The affected system is GmbH Mecury Managed Print Services (docuForm) version 11.11c. No other vendors or products were enumerated. The vulnerability resides in the menu_orderopt.php component of this product.

Risk and Exploitability

The vulnerability is a reflected XSS that requires an attacker to persuade or trick a user into visiting a crafted URL or form submission. The CVSS score is 7.3, indicating high severity, while the EPSS score is not available. Based on this score, the risk is considered significant. The CVE is not listed in CISA KEV, indicating no reported active exploitation at the time of this analysis. Attacking requires user interaction; however, once the payload is executed, the attacker can perform a range of destructive actions within the user’s session.

Generated by OpenCVE AI on May 11, 2026 at 23:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor‑issued patch that sanitizes the menu_orderopt input in dfm-menu_orderopt.php
  • If a patch is not yet available, implement strict input validation or a whitelist for the menu_orderopt parameter to allow only expected values
  • Configure a web application firewall to detect and block script injection attempts targeting the dfm-menu_orderopt endpoint

Generated by OpenCVE AI on May 11, 2026 at 23:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Docuform
Docuform docuform
Vendors & Products Docuform
Docuform docuform

Mon, 11 May 2026 23:30:00 +0000

Type Values Removed Values Added
Title Reflected Cross‑Site Scripting in docuForm Menu Order Component

Mon, 11 May 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N'}

Mon, 11 May 2026 17:00:00 +0000

Type Values Removed Values Added
Title Reflected Cross‑Site Scripting in docuForm Menu Order Component
Weaknesses CWE-79

Mon, 11 May 2026 15:30:00 +0000

Type Values Removed Values Added
Description A reflected cross-site scripted (XSS) vulnerability in the dfm-menu_orderopt.php component of GmbH Mecury Managed Print Services (docuForm) v11.11c allows attackers to execute arbitrary Javascript in the context of a user's browser via injecting a crafted payload into an unfiltered variable value.
References

Subscriptions

Docuform Docuform
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-11T19:30:19.521Z

Reserved: 2025-09-26T00:00:00.000Z

Link: CVE-2025-61314

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Deferred

Published: 2026-05-11T16:17:28.743

Modified: 2026-05-12T15:05:31.120

Link: CVE-2025-61314

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T09:23:50Z

Weaknesses