search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Xerte Online Toolkit contains an authentication bypass that allows for RCE

Vulnerability Note VU#734812

Original Release Date: 2026-07-09 | Last Revised: 2026-07-09

Overview

Two vulnerabilities have been discovered in Xerte Online Toolkits, an open-source e-learning authoring toolsuite intended for the creation of learning materials within a web browser. CVE-2026-14261 tracks the persistence of the /setup/ directory after installation, which allows an unauthenticated attacker to reconfigure the application to point to a remote database they control in order to gain administrative access. CVE-2026-12116 tracks an editable antivirus binary path that can be redirected to a PHP interpreter, causing uploaded files to be executed as PHP code and resulting in remote code execution (RCE). Version v3.15.5 or v3.14.6 of Xerte Online Toolkits fixes these vulnerabilities.

Description

Xerte Online Toolkits is a suite of a free, open-source e-learning authoring tools that allows users to make educational materials directly in-browser. The toolset is installed from multiple packages, and creates a setup folder that persists after installation.

CVE-2026-14261
A vulnerability in Xerte Online Toolkits allows for authentication bypass and remote code execution via reinstallation through the /setup/ folder, enabling attackers to reinstall the service to a remote database they control.

CVE-2026-12116
A vulnerability in Xerte Online Toolkits allows for RCE through the antivirus binary path in the tools server settings. The antivirus binary runs on all uploaded files, but the path to the binary can be modified using the configuration menu. An attacker can achieve remote code execution by redirecting the path to a PHP interpreter, causing any uploaded PHP scripts to be executed.

During installation, Xerte creates a /setup/ folder to configure database connection settings. This folder persists post-installation without access controls or automatic cleanup, and /setup/index.php does not verify whether installation has completed. An attacker can revisit /setup/ and reconfigure the application to point to a remote database, thereby gaining administrative access.

After gaining admin privileges, an attacker can abuse CVE-2026-12116 by editing the antivirus binary path to point to a PHP interpreter. This causes any new uploaded files to be passed to the PHP runtime through website_code/php/import/fileupload.php, bypassing file extension checks and resulting in remote code execution.

Impact

Successful exploitation can allow full remote code execution on the affected server. This enables attackers to establish persistent access, exfiltrate data, or launch supply chain attacks by injecting malicious content into educational materials distributed by the platform.

Solution

These issues have been addressed in two commits:
- 8fec660 removes /setup/ automatically after installation/upgrade and blocks reuse.
- 8ef2062 moves sensitive configuration files, including the antivirus binary path, to server-side locations.

Users should take the following steps immediately:
1. Manually remove the initial installation /setup/ folder from installations.
2. Upgrade to Xerte v3.15.5 or v3.14.6 and run upgrade.php, which enforces automatic /setup/ removal and includes security hardening. If removal fails, the updated code still prevents exploitation.
This blog post: https://www.xerte.org.uk/index.php/en/news/blog/80-news/364-xerte-3-14-and-3-15-important-security-update contains more information and contact data for Xerte.

Acknowledgements

Thanks to the reporter, George Filippov from the Vexel Foundation. This document was written by Christopher Cullen.

Vendor Information

734812
 

Xerte Affected

Notified:  2026-06-01 Updated: 2026-07-09

Statement Date:   June 17, 2026

CVE-2026-12116 Affected
CVE-2026-14261 Unknown

Vendor Statement

The Xerte development team have recently liaised with a separate security researcher who reported a vulnerability and potential exploit when the setup code used for new Xerte installations has been left in place. They will make public disclosure of this in due course.

Background:
Part of the guidance since the very first release of Xerte Online Toolkits many years ago has been to remove the setup folder after initial installation and also following upgrades, which means this vulnerability should not exist in public facing installations. However we haven’t until these new updates (see versions below) triggered automatic removal of the setup folder. We have also fixed and removed the potential for exploit in these new releases for even if the setup folder were to be left in place or not able to be removed by the upgrade script.

Immediate actions for whoever looks after your installation:
Step 1 Important: Ensure that your public facing installations do not include the \setup\ folder e.g. manually delete it.
Note: this does not apply to the other folders with setup in the folder name only the \setup\ folder used for initial installation.

Step 2 Optional: you could also upgrade to Xerte 3.15.5 or Xerte 3.14.6 and run upgrade.php which will update the version of your install and confirm automatic removal of the setup folder. If removal fails for any reason (e.g. permissions), the upgrade will still include the fixed setup code protecting from the potential exploit.

Please post any questions regarding this email in the Bugs and Issues section on the community forum.

References

University of Nottingham Unknown

Updated: 2026-07-09

CVE-2026-12116 Unknown
CVE-2026-14261 Unknown

Vendor Statement

We have not received a statement from the vendor.


Other Information

CVE IDs: CVE-2026-12116 CVE-2026-14261
API URL: VINCE JSON | CSAF
Date Public: 2026-07-09
Date First Published: 2026-07-09
Date Last Updated: 2026-07-09 12:37 UTC
Document Revision: 1

Sponsored by CISA.