CVE-2026-6956: ATutor Reflected XSS Vulnerability

CVE-2026-6956 Overview

CVE-2026-6956 is a Reflected Cross-Site Scripting (XSS) vulnerability in ATutor, an open-source learning management system. The flaw resides in the /install/install.php endpoint, which fails to properly sanitize user-supplied input before reflecting it into the HTTP response. An attacker who lures a victim into visiting a crafted URL can execute arbitrary JavaScript in the victim's browser under the application's origin. ATutor is no longer actively maintained, and the project did not respond to coordinated disclosure attempts. Only version 2.2.4 was confirmed vulnerable during testing, though earlier releases may share the same defect. The weakness is classified under CWE-79.

Critical Impact

A crafted URL targeting /install/install.php triggers arbitrary JavaScript execution in the victim's browser, enabling session theft, credential harvesting, and content manipulation within the ATutor interface.

Affected Products

• ATutor version 2.2.4 (confirmed vulnerable)
• Earlier ATutor releases (untested, potentially vulnerable)
• ATutor deployments exposing the /install/install.php endpoint

Discovery Timeline

• 2026-05-11 - CVE-2026-6956 published to NVD
• 2026-05-12 - Last updated in NVD database

Technical Details for CVE-2026-6956

Vulnerability Analysis

The vulnerability exists in the ATutor installer script at /install/install.php. The script accepts request parameters and reflects them into the rendered HTML response without applying output encoding or input validation. An attacker constructs a URL containing JavaScript payload data within a vulnerable parameter. When the victim clicks the link, the browser parses the reflected payload as executable script within the trusted ATutor origin.

Reflected XSS in installer endpoints is particularly relevant because installation scripts are sometimes left accessible on production deployments. The installer typically runs with broad access to configuration files and database credentials, making any session-level compromise within that context valuable to attackers. User interaction is required, which is reflected in the CVSS 4.0 vector through the UI:A (active user interaction) component.

Root Cause

The root cause is missing output encoding in the installer's response generation logic. User input passed via the HTTP request reaches the HTML response context without HTML-entity encoding or contextual escaping. This violates the standard defense for [CWE-79] (Improper Neutralization of Input During Web Page Generation). Because ATutor is unmaintained, no upstream code-level fix has been issued.

Attack Vector

Exploitation follows the standard reflected XSS pattern. The attacker crafts a URL of the form https://<victim-host>/install/install.php?<param>=<payload> containing JavaScript designed to execute in the victim's browser. The attacker delivers this URL through phishing emails, social media messages, or malicious advertisements. When the victim clicks the link while authenticated to ATutor, the injected script runs with full access to the page's DOM, cookies not marked HttpOnly, and any active session state. No verified proof-of-concept code is available; refer to the Cert.pl analysis for additional technical context.

Detection Methods for CVE-2026-6956

Indicators of Compromise

• HTTP GET or POST requests to /install/install.php containing URL-encoded <script> tags, javascript: URIs, or event-handler attributes such as onerror= and onload=.
• Web server access logs showing referrers from external domains targeting the installer endpoint.
• Unexpected outbound requests from user browsers to attacker-controlled domains immediately after accessing ATutor URLs.

Detection Strategies

• Deploy web application firewall (WAF) rules that inspect query string and POST body parameters submitted to /install/install.php for XSS signatures.
• Enable Content Security Policy (CSP) violation reporting to surface inline script execution attempts originating from reflected payloads.
• Correlate authentication events with anomalous JavaScript-driven actions, such as rapid profile changes or session token exfiltration patterns.

Monitoring Recommendations

• Alert on any HTTP traffic reaching /install/install.php on production hosts, since this endpoint should not be accessible after installation.
• Monitor browser DOM-based identification telemetry from endpoint protection agents for script execution in ATutor origins.
• Review web proxy logs for outbound connections to unfamiliar domains triggered by ATutor page loads.

How to Mitigate CVE-2026-6956

Immediate Actions Required

• Remove or rename the /install/ directory on all production ATutor deployments. The installer should not remain accessible after initial setup.
• Restrict access to /install/install.php through web server access control lists, allowing only trusted administrative IP ranges.
• Plan migration away from ATutor, since the project is no longer actively supported and will not receive vendor patches.

Patch Information

No official patch is available. The ATutor project is unmaintained, and maintainers did not respond to disclosure attempts. Organizations must apply compensating controls or migrate to a supported learning management platform. Review the ATutor project homepage for current project status.

Workarounds

• Delete the install directory entirely after ATutor setup completes to eliminate the vulnerable endpoint.
• Deploy a reverse proxy rule that blocks all requests to paths matching /install/* with an HTTP 403 response.
• Implement a strict Content Security Policy that disallows inline script execution, reducing the impact of reflected XSS payloads.
• Apply WAF signatures that block requests containing common XSS patterns in query parameters destined for ATutor hosts.

# Nginx configuration example to block installer access
location ~* ^/install/ {
    deny all;
    return 403;
}

# Apache equivalent in .htaccess or vhost configuration
<LocationMatch "^/install/">
    Require all denied
</LocationMatch>