Reflected XSS Vulnerability in ATutor by ExeLearning
CVE-2026-6909

5.1MEDIUM

Key Information:

Vendor: Atutor
Status: Atutor
Vendor: CVE Published:; 11 May 2026

What is CVE-2026-6909?

ATutor is affected by a reflected cross-site scripting (XSS) vulnerability located within the /install/upgrade.php endpoint. This flaw allows attackers to craft a malicious URL that, when accessed, can execute arbitrary JavaScript code in the browser of the victim. Though only version 2.2.4 has been tested and confirmed as vulnerable, other versions may also be at risk. The product is no longer actively supported, and the maintainers have been made aware of the issue but have not provided specific details or a comprehensive assessment of the vulnerability across different versions.

Affected Version(s)

ATutor 2.2.4

References

https://cert.pl/en/posts/2026/05/CVE-2026-6909

third-party-advisory

https://atutor.github.io/

product

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 11, 2026
Vulnerability Reserved
Apr 23, 2026

Credit

Michał Majchrowicz (AFINE)

Marcin Wyczechowski (AFINE)

Pawel Zdunek (AFINE)

CVE-2026-6909 Data

JSON

Atutor

What is CVE-2026-6909?

Affected Version(s)

References

CVSS V4

Timeline

Credit