CVE-2026-6956

CVE-2026-6956 is a medium-severity vulnerability with a CVSS 4.0 base score of 5.1. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-79.

Key facts

Description

ATutor is vulnerable to Reflected XSS in /install/install.php endpoint. An attacker can provide a specially crafted URL that, when opened, results in arbitrary JavaScript execution in the victim's browser. Product is no longer actively supported. Maintainers of this project were notified early about this vulnerability, but did not respond with the details of the vulnerability or vulnerable version range. Only version 2.2.4 was tested and confirmed as vulnerable, other versions were not tested but might also be vulnerable.

Frequently asked questions

What is CVE-2026-6956?
ATutor is vulnerable to Reflected XSS in /install/install.php endpoint. An attacker can provide a specially crafted URL that, when opened, results in arbitrary JavaScript execution in the victim's browser. Product is no longer actively supported. Maintainers of this project were notified early about this vulnerability, but did not respond with the details of the vulnerability or vulnerable version range. Only version 2.2.4 was tested and confirmed as vulnerable, other versions were not tested but might also be vulnerable.
How severe is CVE-2026-6956?
CVE-2026-6956 has a CVSS 4.0 base score of 5.1, rated medium severity.
Is CVE-2026-6956 being actively exploited?
It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (31st percentile), an estimate of the probability of exploitation in the next 30 days.
How do I fix CVE-2026-6956?
Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
Does CVE-2026-6956 have an EU (EUVD) identifier?
Yes. CVE-2026-6956 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-29049.
When was CVE-2026-6956 published?
CVE-2026-6956 was published on 2026-05-11 and last updated on 2026-06-17.

References

Other CWE-79 (Cross-site Scripting (XSS)) vulnerabilities

Browse all CWE-79 (Cross-site Scripting (XSS)) vulnerabilities →