平台
php
组件
tcexam
修复版本
16.6.1
16.6.1
16.6.1
16.6.1
16.6.1
16.6.1
16.6.1
A cross-site scripting (XSS) vulnerability has been identified in TCExam, affecting versions from 16.0 up to and including 16.6.0. This flaw resides within the Fxmlexportusers function of the admin/code/tcexml_users.php file, specifically related to XML Export functionality. Successful exploitation could allow an attacker to execute malicious scripts within a user's browser, potentially leading to session hijacking or data theft. A patch, version 16.6.1, is available to resolve this issue.
The XSS vulnerability in TCExam allows an attacker to inject malicious scripts into web pages viewed by users of the application. This can be exploited to steal user credentials, redirect users to phishing sites, or deface the application's interface. The impact is amplified if the TCExam application is used to manage sensitive data or if it is integrated with other systems. While the vulnerability is rated as low severity, successful exploitation can still compromise user accounts and potentially lead to further attacks if the attacker gains access to administrative privileges. The ability to remotely exploit this vulnerability without authentication increases the potential for widespread impact.
The vulnerability was disclosed on 2026-03-15. Public proof-of-concept (PoC) code is currently unavailable, but the vulnerability's nature suggests it could be easily exploited. The vendor acknowledged the vulnerability and released a patch shortly after. The CVSS score of 2.4 (LOW) indicates a relatively low probability of exploitation, but the potential impact warrants prompt remediation.
Organizations using TCExam for exam management, particularly those with web-based interfaces, are at risk. Shared hosting environments where TCExam is installed alongside other applications are also vulnerable, as a compromise of one application could potentially lead to the exploitation of this XSS vulnerability in TCExam.
• php: Examine the admin/code/tcexmlusers.php file for the Fxmlexport_users function. Search for instances where user-supplied data is directly outputted without proper sanitization.
grep -r 'F_xml_export_users' /path/to/tcexam/admin/code/disclosure
漏洞利用状态
EPSS
0.03% (9% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2026-4169 is to upgrade TCExam to version 16.6.1, which includes the necessary patch (899b5b2fa09edfe16043f07265e44fe2022b7f12). If immediate upgrading is not possible, consider implementing input validation and output encoding on user-supplied data within the XML Export functionality as a temporary workaround. Web application firewalls (WAFs) configured to detect and block XSS payloads can also provide an additional layer of protection. After upgrading, confirm the fix by attempting to trigger the XML export function with a crafted payload containing JavaScript code; the code should not execute.
将 TCExam 升级到 16.6.1 或更高版本。此更新修复了 admin/code/tce_xml_users.php 文件中 F_xml_export_users 函数的跨站脚本 (Cross-Site Scripting, XSS) 漏洞。更新可在 Tecnick TCExam 官方仓库中获取。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-4169 is a cross-site scripting (XSS) vulnerability affecting TCExam versions 16.0 through 16.6.0, allowing attackers to inject malicious scripts.
You are affected if you are using TCExam versions 16.0 to 16.6.0. Upgrade to version 16.6.1 to resolve the issue.
Upgrade TCExam to version 16.6.1. As a temporary workaround, implement input validation and output encoding.
While no active exploitation has been confirmed, the vulnerability's nature makes it potentially exploitable, and prompt remediation is recommended.
Refer to the vendor's official security advisory for detailed information and updates regarding CVE-2026-4169.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。