Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Unauthenticated network access to the reachable /setup/ installer (PR:N/AC:L/AV:N) yields full application takeover; reinstalling against an attacker DB compromises confidentiality, integrity and availability of the instance.
Primary rating from Vendor (certcc).
CVSS VectorVendor: certcc
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
5DescriptionCVE.org
A vulnerability in the Xerte Online Tools allows for authentication bypass and remote code execution via reinstallation through the /setup/ folder, enabling attackers to reinstall the service to a remote database they control.
AnalysisAI
Authentication bypass leading to remote code execution in Xerte Online Tools (all versions below 3.14.6 and below 3.15.5) lets unauthenticated remote attackers reach the exposed /setup/ installer and re-run the installation, pointing the application at a database they control and thereby seizing full control of the toolkit. The flaw scores CVSS 9.1 (AV:N/AC:L/PR:N/UI:N) and is tagged Authentication Bypass and RCE; a vendor patch exists but there is no public exploit identified at time of analysis. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the /setup/ installer folder remains web-reachable on the running instance - the specific prerequisite is a deployment where the setup/reinstallation endpoint was not removed or access-restricted after initial installation. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N, base 9.1) describes a remote, low-complexity, unauthenticated attack with high confidentiality and integrity impact - a genuinely high-priority profile because no authentication or user interaction gates it. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker locates an internet-exposed Xerte Online Tools instance whose /setup/ installer is still reachable, sends unauthenticated HTTP requests to that endpoint, and re-runs the installation pointing the application at a database server the attacker controls. From that attacker-owned backend they seize administrative control and achieve remote code execution against the toolkit. … |
| Remediation | Vendor-released patch: upgrade to Xerte Online Tools 3.15.5 (for 3.15.x deployments) or 3.14.6 (for 3.14.x deployments), which contain the fix from commit 8fec6602e80c5d35903d65e65b65b794297d8e90; follow the official guidance at https://www.xerte.org.uk/index.php/en/news/blog/80-news/364-xerte-3-14-and-3-15-important-security-update. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit all Xerte Online Tools instances to identify which are running versions below 3.14.6 (3.14.x branch) or 3.15.5 (3.15.x branch); implement firewall or WAF rules to restrict external access to the /setup/ endpoint. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Xerte Online Tools
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-42583
GHSA-3g88-3v3g-pch4