Description
ATutor is vulnerable to Reflected XSS in /install/install.php endpoint. An attacker can provide a specially crafted URL that, when opened, results in arbitrary JavaScript execution in the victim's browser.

Product is no longer actively supported. Maintainers of this project were notified early about this vulnerability, but did not respond with the details of the vulnerability or vulnerable version range. Only version 2.2.4 was tested and confirmed as vulnerable, other versions were not tested but might also be vulnerable.
Published: 2026-05-11
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

ATutor is vulnerable to a reflected cross-site scripting flaw in its /install/install.php endpoint. A specially crafted URL can cause the victim's browser to execute arbitrary JavaScript on the site. The flaw falls under CWE‑79 and presents an opportunity for attackers to run malicious code in the user's browser.

Affected Systems

The vulnerability was confirmed on ATutor version 2.2.4 and the maintainers have not released a patch or a known safe version. The product is no longer actively supported, so any deployment using ATutor 2.2.4, or potentially other 2.x releases, may be exposed. No explicit version range is documented, but all unreleased or unpatched installations should be treated as potentially vulnerable.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate severity. The EPSS score of less than 1% suggests a low likelihood of exploitation, and the vulnerability is not listed in the CISA KEV catalog. Exploitation typically requires a user to visit a crafted URL, which is a client-side vector; no authentication or privileged access is required. Because ATutor is no longer actively supported and no patch is available, systems running the affected version remain exposed until remediated.

Generated by OpenCVE AI on May 11, 2026 at 17:58 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Migrate to a supported LMS platform or remove the ATutor installation module entirely.
  • Restrict or disable access to the /install/install.php endpoint so that it cannot be reached by external users.
  • Implement a strict Content Security Policy to prohibit inline scripts and external script execution on the site.

Generated by OpenCVE AI on May 11, 2026 at 17:58 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 11 May 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Atutor
Atutor atutor
Vendors & Products Atutor
Atutor atutor

Mon, 11 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description ATutor is vulnerable to Reflected XSS in /install/install.php endpoint. An attacker can provide a specially crafted URL that, when opened, results in arbitrary JavaScript execution in the victim's browser. Product is no longer actively supported. Maintainers of this project were notified early about this vulnerability, but did not respond with the details of the vulnerability or vulnerable version range. Only version 2.2.4 was tested and confirmed as vulnerable, other versions were not tested but might also be vulnerable.
Title Reflected XSS in ATutor
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

Atutor Atutor
cve-icon MITRE

Status: PUBLISHED

Assigner: CERT-PL

Published:

Updated: 2026-05-11T12:40:01.775Z

Reserved: 2026-04-24T13:18:52.511Z

Link: CVE-2026-6956

cve-icon Vulnrichment

Updated: 2026-05-11T12:39:57.777Z

cve-icon NVD

Status : Received

Published: 2026-05-11T10:16:15.253

Modified: 2026-05-11T10:16:15.253

Link: CVE-2026-6956

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-11T18:00:14Z

Weaknesses