CVE-2026-6956

Details

CVE-2026-6956 describes a reflected cross-site scripting (XSS) vulnerability in the /install/install.php endpoint of ATutor, an open-source learning management system. The vulnerability arises from improper neutralization of user-supplied input during web page generation (CWE-79), allowing an attacker to inject arbitrary JavaScript code into the response. Only version 2.2.4 was tested and confirmed vulnerable, but other versions may also be affected. The product is no longer actively supported [1].

Exploitation

An attacker can craft a malicious URL that, when visited by a victim, triggers the XSS payload via the install.php script. The attack does not require authentication or any special network position; the victim simply needs to click the link. Since the vulnerability is reflected, the payload is not stored on the server but delivered directly in the response [1].

Impact

Successful exploitation allows the attacker to execute arbitrary JavaScript in the context of the victim's browser session. This can lead to session hijacking, data theft, defacement, or redirection to malicious sites. The impact is limited to the victim's session and does not directly affect the server or other users [1].

Mitigation

No official patch has been released because ATutor is no longer actively maintained. Users are advised to discontinue use of ATutor or implement web application firewall (WAF) rules to block malicious requests to /install/install.php. Additionally, administrators should restrict access to the installation script and consider migrating to a supported LMS platform [1].