प्लेटफ़ॉर्म
php
घटक
tcexam
में ठीक किया गया
16.6.1
16.6.1
16.6.1
16.6.1
16.6.1
16.6.1
16.6.1
A cross-site scripting (XSS) vulnerability has been identified in TCExam, affecting versions from 16.0 up to and including 16.6.0. This flaw resides within the Fxmlexportusers function of the admin/code/tcexml_users.php file, specifically related to XML Export functionality. Successful exploitation could allow an attacker to execute malicious scripts within a user's browser, potentially leading to session hijacking or data theft. A patch, version 16.6.1, is available to resolve this issue.
The XSS vulnerability in TCExam allows an attacker to inject malicious scripts into web pages viewed by users of the application. This can be exploited to steal user credentials, redirect users to phishing sites, or deface the application's interface. The impact is amplified if the TCExam application is used to manage sensitive data or if it is integrated with other systems. While the vulnerability is rated as low severity, successful exploitation can still compromise user accounts and potentially lead to further attacks if the attacker gains access to administrative privileges. The ability to remotely exploit this vulnerability without authentication increases the potential for widespread impact.
The vulnerability was disclosed on 2026-03-15. Public proof-of-concept (PoC) code is currently unavailable, but the vulnerability's nature suggests it could be easily exploited. The vendor acknowledged the vulnerability and released a patch shortly after. The CVSS score of 2.4 (LOW) indicates a relatively low probability of exploitation, but the potential impact warrants prompt remediation.
Organizations using TCExam for exam management, particularly those with web-based interfaces, are at risk. Shared hosting environments where TCExam is installed alongside other applications are also vulnerable, as a compromise of one application could potentially lead to the exploitation of this XSS vulnerability in TCExam.
• php: Examine the admin/code/tcexmlusers.php file for the Fxmlexport_users function. Search for instances where user-supplied data is directly outputted without proper sanitization.
grep -r 'F_xml_export_users' /path/to/tcexam/admin/code/disclosure
एक्सप्लॉइट स्थिति
EPSS
0.03% (9% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation for CVE-2026-4169 is to upgrade TCExam to version 16.6.1, which includes the necessary patch (899b5b2fa09edfe16043f07265e44fe2022b7f12). If immediate upgrading is not possible, consider implementing input validation and output encoding on user-supplied data within the XML Export functionality as a temporary workaround. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide an additional layer of protection. After upgrading, confirm the fix by attempting to trigger the XML export function with a crafted payload containing JavaScript code; the code should not execute.
TCExam को संस्करण 16.6.1 या बाद के संस्करण में अपडेट करें। यह अपडेट फाइल admin/code/tce_xml_users.php में F_xml_export_users फ़ंक्शन में क्रॉस-साइट स्क्रिप्टिंग (XSS) भेद्यता को ठीक करता है। अपडेट Tecnick TCExam के आधिकारिक रिपॉजिटरी में उपलब्ध है।
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2026-4169 is a cross-site scripting (XSS) vulnerability affecting TCExam versions 16.0 through 16.6.0, allowing attackers to inject malicious scripts.
You are affected if you are using TCExam versions 16.0 to 16.6.0. Upgrade to version 16.6.1 to resolve the issue.
Upgrade TCExam to version 16.6.1. As a temporary workaround, implement input validation and output encoding.
While no active exploitation has been confirmed, the vulnerability's nature makes it potentially exploitable, and prompt remediation is recommended.
Refer to the vendor's official security advisory for detailed information and updates regarding CVE-2026-4169.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।