{"document":{"acknowledgments":[{"urls":["https://kb.cert.org/vuls/id/734812#acknowledgements"]}],"category":"CERT/CC Vulnerability Note","csaf_version":"2.0","notes":[{"category":"summary","text":"### Overview\r\n\r\nTwo vulnerabilities have been discovered in Xerte Online Toolkits, an open-source e-learning authoring toolsuite intended for the creation of learning materials within a web browser. CVE-2026-14261 tracks the persistence of the `/setup/` directory after installation, which allows an unauthenticated attacker to reconfigure the application to point to a remote database they control in order to gain administrative access. CVE-2026-12116 tracks an editable antivirus binary path that can be redirected to a PHP interpreter, causing uploaded files to be executed as PHP code and resulting in remote code execution (RCE). Version v3.15.5 or v3.14.6 of Xerte Online Toolkits fixes these vulnerabilities.\r\n\r\n### Description\r\n\r\nXerte Online Toolkits is a suite of a free, open-source e-learning authoring tools that allows users to make educational materials directly in-browser. The toolset is installed from multiple packages, and creates a `setup` folder that persists after installation. \r\n\r\n**CVE-2026-14261**\r\nA vulnerability in Xerte Online Toolkits allows for authentication bypass and remote code execution via reinstallation through the `/setup/` folder, enabling attackers to reinstall the service to a remote database they control.\r\n\r\n**CVE-2026-12116**\r\nA vulnerability in Xerte Online Toolkits allows for RCE through the antivirus binary path in the tools server settings. The antivirus binary runs on all uploaded files, but the path to the binary can be  modified using the configuration menu. An attacker can achieve remote code execution by redirecting the path to a PHP interpreter, causing any uploaded PHP scripts to be executed. \r\n\r\nDuring installation, Xerte creates a `/setup/` folder to configure database connection settings. This folder persists post-installation without access controls or automatic cleanup, and `/setup/index.php` does not verify whether installation has completed. An attacker can revisit `/setup/` and reconfigure the application to point to a remote database, thereby gaining administrative access. \r\n\r\nAfter gaining admin privileges, an attacker can abuse CVE-2026-12116 by editing the antivirus binary path to point to a PHP interpreter. This causes any new uploaded files to be passed to the PHP runtime through `website_code/php/import/fileupload.php`, bypassing file extension checks and resulting in remote code execution.\r\n\r\n### Impact\r\nSuccessful exploitation can allow full remote code execution on the affected server. This enables attackers to establish persistent access, exfiltrate data, or launch supply chain attacks by injecting malicious content into educational materials distributed by the platform.\r\n\r\n### Solution\r\nThese issues have been addressed in two commits:\r\n- [8fec660](https://github.com/thexerteproject/xerteonlinetoolkits/commit/8fec6602e80c5d35903d65e65b65b794297d8e90) removes `/setup/` automatically after installation/upgrade and blocks reuse.\r\n- [8ef2062](https://github.com/thexerteproject/xerteonlinetoolkits/commit/8ef20628f80bd88bd1fe3e5844a9116a910086b7) moves sensitive configuration files, including the antivirus binary path, to server-side locations.\r\n\r\nUsers should take the following steps immediately:\r\n1. Manually remove the initial installation `/setup/` folder from installations.  \r\n2. Upgrade to Xerte v3.15.5 or v3.14.6 and run `upgrade.php`, which enforces automatic `/setup/` removal and includes security hardening. If removal fails, the updated code still prevents exploitation. \r\nThis blog post: https://www.xerte.org.uk/index.php/en/news/blog/80-news/364-xerte-3-14-and-3-15-important-security-update contains more information and contact data for Xerte. \r\n\r\n### Acknowledgements\r\nThanks to the reporter, George Filippov from the Vexel Foundation. This document was written by Christopher Cullen.","title":"Summary"},{"category":"legal_disclaimer","text":"THIS DOCUMENT IS PROVIDED ON AN 'AS IS' BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. ","title":"Legal Disclaimer"},{"category":"other","text":"CERT/CC Vulnerability Note is a limited advisory. It primarily identifies vendors impacted by the advisory and not specific products. We only support \"known_affected\" and \"known_not_affected\" status. Please consult the vendor's statements and advisory URL if provided by the vendor for more details ","title":"Limitations of Advisory"},{"category":"other","text":"The Xerte development team have recently liaised with a separate security researcher who reported a vulnerability and potential exploit when the setup code used for new Xerte installations has been left in place. They will make public disclosure of this in due course.\r\n\r\nBackground:\r\nPart of the guidance since the very first release of Xerte Online Toolkits many years ago has been to remove the setup folder after initial installation and also following upgrades, which means this vulnerability should not exist in public facing installations. However we haven’t until these new updates (see versions below) triggered automatic removal of the setup folder. We have also fixed and removed the potential for exploit in these new releases for even if the setup folder were to be left in place or not able to be removed by the upgrade script.\r\n\r\nImmediate actions for whoever looks after your installation:\r\nStep 1 Important: Ensure that your public facing installations do not include the \\setup\\ folder e.g. manually delete it.\r\nNote: this does not apply to the other folders with setup in the folder name only the \\setup\\ folder used for initial installation.\r\n\r\nStep 2 Optional: you could also upgrade to Xerte 3.15.5 or Xerte 3.14.6 and run upgrade.php which will update the version of your install and confirm automatic removal of the setup folder. If removal fails for any reason (e.g. permissions), the upgrade will still include the fixed setup code protecting from the potential exploit.\r\n\r\nPlease post any questions regarding this email in the Bugs and Issues section on the community forum.","title":"Vendor statment from Xerte"}],"publisher":{"category":"coordinator","contact_details":"Email: cert@cert.org, Phone: +1412 268 5800","issuing_authority":"CERT/CC under DHS/CISA https://www.cisa.gov/cybersecurity also see https://kb.cert.org/ ","name":"CERT/CC","namespace":"https://kb.cert.org/"},"references":[{"url":"https://certcc.github.io/certcc_disclosure_policy","summary":"CERT/CC vulnerability disclosure policy"},{"summary":"CERT/CC document released","category":"self","url":"https://kb.cert.org/vuls/id/734812"},{"url":"https://github.com/thexerteproject/xerteonlinetoolkits/issues/1532","summary":"https://github.com/thexerteproject/xerteonlinetoolkits/issues/1532"},{"url":"https://github.com/thexerteproject/xerteonlinetoolkits/commit/8ef20628f80bd88bd1fe3e5844a9116a910086b7","summary":"https://github.com/thexerteproject/xerteonlinetoolkits/commit/8ef20628f80bd88bd1fe3e5844a9116a910086b7"},{"url":"https://github.com/thexerteproject/xerteonlinetoolkits/commit/8fec6602e80c5d35903d65e65b65b794297d8e90","summary":"https://github.com/thexerteproject/xerteonlinetoolkits/commit/8fec6602e80c5d35903d65e65b65b794297d8e90"},{"url":"https://github.com/thexerteproject/xerteonlinetoolkits/issues/1543","summary":"https://github.com/thexerteproject/xerteonlinetoolkits/issues/1543"},{"url":"https://www.xerte.org.uk/index.php/en/news/blog/80-news/364-xerte-3-14-and-3-15-important-security-update","summary":"https://www.xerte.org.uk/index.php/en/news/blog/80-news/364-xerte-3-14-and-3-15-important-security-update"},{"url":"https://xerte.org.uk/index.php/en/news/blog/80-news/364-xerte-3-14-and-3-15-important-security-update","summary":"Reference(s) from vendor \"Xerte\""},{"url":"https://github.com/thexerteproject/xerteonlinetoolkits/issues/1532","summary":"Reference(s) from vendor \"Xerte\""},{"url":"https://github.com/thexerteproject/xerteonlinetoolkits/issues/1543","summary":"Reference(s) from vendor \"Xerte\""}],"title":"Xerte Online Toolkit contains an authentication bypass that allows for RCE","tracking":{"current_release_date":"2026-07-09T12:37:51+00:00","generator":{"engine":{"name":"VINCE","version":"3.0.43"}},"id":"VU#734812","initial_release_date":"2026-07-09 12:37:51.505298+00:00","revision_history":[{"date":"2026-07-09T12:37:51+00:00","number":"1.20260709123751.1","summary":"Released on 2026-07-09T12:37:51+00:00"}],"status":"final","version":"1.20260709123751.1"}},"vulnerabilities":[{"title":"A vulnerability in the Xerte Online Tools allows for RCE through the antivirus binary path in the tools server settings, which can be changed to a PHP interpreter, allowing an attacker to upload PHP data that will then be executed.","notes":[{"category":"summary","text":"A vulnerability in the Xerte Online Tools allows for RCE through the antivirus binary path in the tools server settings, which can be changed to a PHP interpreter, allowing an attacker to upload PHP data that will then be executed."}],"cve":"CVE-2026-12116","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#734812"}],"product_status":{"known_affected":["CSAFPID-ff723e8a-7b9c-11f1-9d37-026cba0b744b"]}},{"title":"A vulnerability in the Xerte Online Tools allows for authentication bypass and remote code execution via reinstallation through the /setup/ folder, enabling attackers to reinstall the service to a remote database they control.","notes":[{"category":"summary","text":"A vulnerability in the Xerte Online Tools allows for authentication bypass and remote code execution via reinstallation through the /setup/ folder, enabling attackers to reinstall the service to a remote database they control."}],"cve":"CVE-2026-14261","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#734812"}]}],"product_tree":{"branches":[{"category":"vendor","name":"Xerte","product":{"name":"Xerte Products","product_id":"CSAFPID-ff723e8a-7b9c-11f1-9d37-026cba0b744b"}}]}}