Description
ATutor is vulnerable to Reflected XSS in /install/upgrade.php endpoint. An attacker can provide a specially crafted URL that, when opened, results in arbitrary JavaScript execution in the victim's browser.

Product is no longer actively supported. Maintainers of this project were notified early about this vulnerability, but did not respond with the details of the vulnerability or vulnerable version range. Only version 2.2.4 was tested and confirmed as vulnerable, other versions were not tested but might also be vulnerable.
Published: 2026-05-11
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The ATutor learning management system is vulnerable to reflected Cross‑Site Scripting in the /install/upgrade.php endpoint. An attacker can supply a specially crafted URL that, when a user visits it, causes the browser to execute arbitrary JavaScript. This flaw permits attackers to hijack user sessions, deface content, or perform other malicious actions within the browser context. The weakness is classified as CWE‑79.

Affected Systems

ATutor, the open‑source modular learning management system, is affected. Version 2.2.4 has been confirmed to contain the vulnerability. Other releases of ATutor may also be impacted, although they have not been formally tested.

Risk and Exploitability

The CVSS score of 5.1 indicates a moderate severity vulnerability that affects confidentiality, integrity and availability of user sessions. With an EPSS score of less than 1 % the likelihood of exploitation in the wild is low, and the flaw is not listed in CISA’s KEV catalogue. The likely attack vector is a user clicking on a malicious link that contains the reflected payload; the attacker must first convince a user to visit the crafted URL and the exploitation requires no special privileges on the server side or other system resources.

Generated by OpenCVE AI on May 11, 2026 at 17:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Disable or remove the /install/upgrade.php endpoint from production deployments to prevent the vulnerable input from being exposed
  • Implement input sanitization or a whitelist filter on the upgrade.php script to neutralize user‑supplied parameters, addressing the underlying CWE‑79 flaw
  • Deploy a web application firewall or layer‑7 filtering rule that blocks suspicious query strings or JavaScript payloads targeting the upgrade.php endpoint
  • If a newer, non‑vulnerable version of ATutor becomes available, upgrade the application or replace it with an actively supported learning platform
  • Apply corporate security policies to restrict the use of externally supplied URLs and educate users about phishing and malicious link risks

Generated by OpenCVE AI on May 11, 2026 at 17:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 11 May 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared Atutor
Atutor atutor
Vendors & Products Atutor
Atutor atutor

Mon, 11 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description ATutor is vulnerable to Reflected XSS in /install/upgrade.php endpoint. An attacker can provide a specially crafted URL that, when opened, results in arbitrary JavaScript execution in the victim's browser. Product is no longer actively supported. Maintainers of this project were notified early about this vulnerability, but did not respond with the details of the vulnerability or vulnerable version range. Only version 2.2.4 was tested and confirmed as vulnerable, other versions were not tested but might also be vulnerable.
Title Reflected XSS in ATutor
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

Atutor Atutor
cve-icon MITRE

Status: PUBLISHED

Assigner: CERT-PL

Published:

Updated: 2026-05-11T12:40:53.909Z

Reserved: 2026-04-23T13:24:46.397Z

Link: CVE-2026-6909

cve-icon Vulnrichment

Updated: 2026-05-11T12:40:50.481Z

cve-icon NVD

Status : Deferred

Published: 2026-05-11T10:16:15.097

Modified: 2026-05-12T14:15:25.170

Link: CVE-2026-6909

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T18:00:13Z

Weaknesses