ATutor Hit by Reflected XSS Flaw

A reflected cross-site scripting vulnerability (CVE-2026-6909) was disclosed in ATutor's /install/upgrade.php endpoint, allowing attackers to run malicious JavaScript in a victim's browser through a crafted link. Since ATutor is no longer maintained and the vendor did not respond, anyone still running version 2.2.4 (and likely other versions) is at risk. Defenders should retire ATutor installations or isolate them behind authentication and web application firewall rules to block malicious URL parameters.