Reflected XSS Vulnerability in ATutor Software by Atutor
CVE-2026-6956

5.1MEDIUM

Key Information:

Vendor: Atutor
Status: Atutor
Vendor: CVE Published:; 11 May 2026

What is CVE-2026-6956?

ATutor's /install/install.php endpoint is vulnerable to Reflected XSS, enabling attackers to craft malicious URLs that execute arbitrary JavaScript in users' browsers. This poses significant risks, particularly since ATutor is no longer actively supported, and there has been no communication from maintainers regarding specific vulnerable versions beyond the confirmed affected version 2.2.4.

Affected Version(s)

ATutor 2.2.4

References

https://cert.pl/en/posts/2026/05/CVE-2026-6909

third-party-advisory

https://atutor.github.io/

product

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 11, 2026
Vulnerability Reserved
Apr 24, 2026

Credit

Michał Majchrowicz (AFINE)

Marcin Wyczechowski (AFINE)

Pawel Zdunek (AFINE)

CVE-2026-6956 Data

JSON