CVE-2026-6909

Vulnerability

Overview

CVE-2026-6909 describes a reflected cross-site scripting (XSS) vulnerability in the /install/upgrade in ATutor, an open-source learning management system, specifically in the /install/upgrade.php` endpoint. The software fails to properly neutralize user input during web page generation [1], meaning that an attacker can supply a specially crafted a URL containing malicious script code that, when visited by a victim, is reflected back and executed in the browser. This is classified under CWE-79: Improper Neutralization of Input During Web Page Generation.

Attack

Scenario

The vulnerability is triggered through a crafted URL. An attacker can be delivered via phishing, social engineering, or other means. The attacker does not require authentication to exploit this flaw—the victim simply needs to click the link while logged into an ATutor session for the script to execute. The tested version is 2.2.4.4, but other versions may also be affected [1]. The product is no longer actively supported [1][2], and no fix has been released, and maintainers did not respond to notifications about this vulnerability.

Impact

Successful exploitation results in arbitrary JavaScript execution in the context of the victim's browser and victim's browser on the ATutor domain. This can lead to session hijacking, theft of credentials, defacement, or redirection, or other malicious actions depending on the attacker's payload. Because ATutor is an LMS, sensitive user data and course materials may be accessible.

Mitigation and

Status

No patch is available, and the software is end-of-life [2]. Users are strongly advised to discontinue use or isolate instances from untrusted networks. No workaround has been provided by the vendor. The vulnerability has been publicly reported by CERT Polska . Polska [1].