XSS in Atutor

CVE-2026-6909

ATutor is vulnerable to Reflected XSS in /install/upgrade.php endpoint. An attacker can provide a specially crafted URL that, when opened, results in arbitrary JavaScript execution in the victim's browser. Product is no longer actively su…

Vulnerability class: XSS (Cross-Site Scripting)

EPSS: 0.001 (27.4th percentile) — read the EPSS interpretation.