Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
ATutor is vulnerable to Reflected XSS in /install/upgrade.php endpoint. An attacker can provide a specially crafted URL that, when opened, results in arbitrary JavaScript execution in the victim's browser.
Product is no longer actively supported. Maintainers of this project were notified early about this vulnerability, but did not respond with the details of the vulnerability or vulnerable version range. Only version 2.2.4 was tested and confirmed as vulnerable, other versions were not tested but might also be vulnerable.
AnalysisAI
Reflected XSS in ATutor's /install/upgrade.php endpoint allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser via a specially crafted URL. The vulnerability affects at least version 2.2.4 and potentially other versions; the product is no longer actively maintained and vendors did not respond with details about the full vulnerable version range. While CVSS 5.1 indicates low severity, the attack requires user interaction (clicking a malicious link) and has limited scope impact.
Technical ContextAI
ATutor is a web-based learning content management system (LCMS) written in PHP. The vulnerability exists in the /install/upgrade.php endpoint, which is typically part of the installation and upgrade workflow. The root cause is CWE-79 (Improper Neutralization of Input During Web Page Generation), meaning user-supplied input is reflected directly into the HTML response without proper sanitization or encoding. Reflected XSS vulnerabilities occur when an attacker-controlled parameter is echoed back in the HTTP response and executed by the victim's browser. The upgrade.php script, being part of the installation phase, may be accessible even on deployed instances if not properly restricted or removed after initial setup.
RemediationAI
No vendor-released patch is available, as ATutor is no longer actively maintained and the vendor did not respond to initial disclosure. Immediate mitigation: remove or restrict access to the /install/upgrade.php endpoint and the entire /install directory after initial deployment. This can be enforced via web server configuration (e.g., Apache .htaccess with Deny from all or nginx location block with deny all) or by physically deleting the /install directory if upgrades are no longer needed. If in-place upgrades are still required, protect the upgrade endpoint with strong authentication (e.g., require valid admin credentials before upgrade.php is accessible) or IP whitelisting. Consider disabling PHP script execution in the /install directory via web server configuration if the directory must remain for file serving purposes. For long-term risk reduction, organizations should migrate to an actively maintained alternative learning management system (LMS) or fork ATutor with their own security patches. Temporary mitigation on the front-end: users can use security browser extensions that block inline scripts, though this may break legitimate functionality. Reference: CERT-PL disclosure at https://cert.pl/en/posts/2026/05/CVE-2026-6909.
sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not
(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear
ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C
Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au
Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c
Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re
The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29048
GHSA-wcg3-35qx-r9pp