Home

Description

A vulnerability in the Xerte Online Tools allows for RCE through the antivirus binary path in the tools server settings, which can be changed to a PHP interpreter, allowing an attacker to upload PHP data that will then be executed.

PUBLISHED Reserved 2026-06-12 | Published 2026-07-09 | Updated 2026-07-09 | Assigner certcc

Problem types

CWE-94: Improper Control of Generation of Code ('Code Injection')

Product status

Any version before v3.15.5
affected

Any version before 3.14.6
affected

References

github.com/...ommit/8ef20628f80bd88bd1fe3e5844a9116a910086b7

github.com/thexerteproject/xerteonlinetoolkits/issues/1543

www.xerte.org.uk/...-3-14-and-3-15-important-security-update

cve.org (CVE-2026-12116)

nvd.nist.gov (CVE-2026-12116)

Download JSON