Skip to main content

Xerte Online Tools

2 CVEs product

Monthly

CVE-2026-14261 CRITICAL PATCH Act Now

Authentication bypass leading to remote code execution in Xerte Online Tools (all versions below 3.14.6 and below 3.15.5) lets unauthenticated remote attackers reach the exposed /setup/ installer and re-run the installation, pointing the application at a database they control and thereby seizing full control of the toolkit. The flaw scores CVSS 9.1 (AV:N/AC:L/PR:N/UI:N) and is tagged Authentication Bypass and RCE; a vendor patch exists but there is no public exploit identified at time of analysis. CISA's SSVC framework rates it not-exploited but automatable with partial technical impact.

Authentication Bypass RCE Xerte Online Tools
NVD GitHub
CVSS 3.1
9.1
EPSS
0.6%
CVE-2026-12116 CRITICAL PATCH Act Now

Remote code execution in Xerte Online Tools (versions before 3.14.6 and before 3.15.5) allows an attacker with access to the tools server settings to repoint the configured antivirus scanner binary path to a PHP interpreter, so that subsequently uploaded PHP content is passed to that interpreter and executed on the server. The input CVSS scores this 9.8 (unauthenticated network vector), but the described attack path hinges on modifying server-side settings, which typically requires administrative access — a contradiction worth flagging. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; a vendor patch is available.

Information Disclosure PHP Xerte Online Tools
NVD GitHub
CVSS 3.1
9.8
EPSS
0.4%
EPSS 1% CVSS 9.1
CRITICAL PATCH Act Now

Authentication bypass leading to remote code execution in Xerte Online Tools (all versions below 3.14.6 and below 3.15.5) lets unauthenticated remote attackers reach the exposed /setup/ installer and re-run the installation, pointing the application at a database they control and thereby seizing full control of the toolkit. The flaw scores CVSS 9.1 (AV:N/AC:L/PR:N/UI:N) and is tagged Authentication Bypass and RCE; a vendor patch exists but there is no public exploit identified at time of analysis. CISA's SSVC framework rates it not-exploited but automatable with partial technical impact.

Authentication Bypass RCE Xerte Online Tools
NVD GitHub
EPSS 0% CVSS 9.8
CRITICAL PATCH Act Now

Remote code execution in Xerte Online Tools (versions before 3.14.6 and before 3.15.5) allows an attacker with access to the tools server settings to repoint the configured antivirus scanner binary path to a PHP interpreter, so that subsequently uploaded PHP content is passed to that interpreter and executed on the server. The input CVSS scores this 9.8 (unauthenticated network vector), but the described attack path hinges on modifying server-side settings, which typically requires administrative access — a contradiction worth flagging. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; a vendor patch is available.

Information Disclosure PHP Xerte Online Tools
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy