CVE-2026-6956 MEDIUM

CVE-2026-6956: Reflected XSS in ATutor

Vendor Atutor

Product ATutor

Weakness CWE-79 · XSS

Published May 11, 2026

Last update May 11, 2026

View on NVD All CVEs

CVSS base score

5.1/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction —

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N

What the vulnerability does

01Description

ATutor is vulnerable to Reflected XSS in /install/install.php endpoint. An attacker can provide a specially crafted URL that, when opened, results in arbitrary JavaScript execution in the victim's browser. Product is no longer actively supported. Maintainers of this project were notified early about this vulnerability, but did not respond with the details of the vulnerability or vulnerable version range. Only version 2.2.4 was tested and confirmed as vulnerable, other versions were not tested but might also be vulnerable.

Key dates

02Disclosure timeline

May 11, 2026 CVE published

May 11, 2026 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2026-6956

Related vulnerabilities

04Related CVE

CVE-2026-11434 FluentCMS Blocks Plugin blocks cross site scripting CVE-2026-34429 Vvveb < 1.0.8.1 Stored XSS via Media Upload and Rename CVE-2022-36037 Cross-site scripting (XSS) from dynamic options in the multiselect field in Kirby CVE-2024-35653 WordPress Visual Composer Website Builder, Landing Page Builder, Custom Theme Builder, Maintenance Mode & Coming Soon Pages plugin <= 45.8.0 - Cross Site Scripting (XSS) vulnerability CVE-2025-46888 Adobe Experience Manager | Cross-site Scripting (Stored XSS) (CWE-79)