Skip to main content

Xerte Online Tools EUVDEUVD-2026-42583

| CVE-2026-14261 CRITICAL
2026-07-09 certcc GHSA-3g88-3v3g-pch4
9.1
CVSS 3.1 · Vendor: certcc
Share

Severity by source

Vendor (certcc) PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
vuln.today AI
9.8 CRITICAL

Unauthenticated network access to the reachable /setup/ installer (PR:N/AC:L/AV:N) yields full application takeover; reinstalling against an attacker DB compromises confidentiality, integrity and availability of the instance.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (certcc).

CVSS VectorVendor: certcc

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

5
Analysis Generated
Jul 09, 2026 - 16:50 vuln.today
Severity Changed
Jul 09, 2026 - 16:22 NVD
HIGH CRITICAL
CVSS changed
Jul 09, 2026 - 16:22 NVD
7.5 (HIGH) 9.1 (CRITICAL)
Patch available
Jul 09, 2026 - 15:01 EUVD
CVE Published
Jul 09, 2026 - 12:37 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

A vulnerability in the Xerte Online Tools allows for authentication bypass and remote code execution via reinstallation through the /setup/ folder, enabling attackers to reinstall the service to a remote database they control.

AnalysisAI

Authentication bypass leading to remote code execution in Xerte Online Tools (all versions below 3.14.6 and below 3.15.5) lets unauthenticated remote attackers reach the exposed /setup/ installer and re-run the installation, pointing the application at a database they control and thereby seizing full control of the toolkit. The flaw scores CVSS 9.1 (AV:N/AC:L/PR:N/UI:N) and is tagged Authentication Bypass and RCE; a vendor patch exists but there is no public exploit identified at time of analysis. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Discover exposed Xerte instance
Delivery
Request reachable /setup/ endpoint
Exploit
Bypass auth via reinstall flow
Execution
Redirect app to attacker-controlled database
Impact
Gain admin control and RCE

Vulnerability AssessmentAI

Exploitation Exploitation requires that the /setup/ installer folder remains web-reachable on the running instance - the specific prerequisite is a deployment where the setup/reinstallation endpoint was not removed or access-restricted after initial installation. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N, base 9.1) describes a remote, low-complexity, unauthenticated attack with high confidentiality and integrity impact - a genuinely high-priority profile because no authentication or user interaction gates it. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker locates an internet-exposed Xerte Online Tools instance whose /setup/ installer is still reachable, sends unauthenticated HTTP requests to that endpoint, and re-runs the installation pointing the application at a database server the attacker controls. From that attacker-owned backend they seize administrative control and achieve remote code execution against the toolkit. …
Remediation Vendor-released patch: upgrade to Xerte Online Tools 3.15.5 (for 3.15.x deployments) or 3.14.6 (for 3.14.x deployments), which contain the fix from commit 8fec6602e80c5d35903d65e65b65b794297d8e90; follow the official guidance at https://www.xerte.org.uk/index.php/en/news/blog/80-news/364-xerte-3-14-and-3-15-important-security-update. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Audit all Xerte Online Tools instances to identify which are running versions below 3.14.6 (3.14.x branch) or 3.15.5 (3.15.x branch); implement firewall or WAF rules to restrict external access to the /setup/ endpoint. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-42583 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy