CVE-2026-14261
9.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Summary
A vulnerability in the Xerte Online Tools allows for authentication bypass and remote code execution via reinstallation through the /setup/ folder, enabling attackers to reinstall the service to a remote database they control.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Xerte | Xerte Online Tools | 0 < 3.14.6 | affected |
| Xerte | Xerte Online Tools | 0 < 3.15.5 | affected |
Weaknesses
- CWE-288: Authentication Bypass Using an Alternate Path or Channel
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: yes
- Technical Impact: total
References
- https://github.com/thexerteproject/xerteonlinetoolkits/issues/1532
- https://github.com/thexerteproject/xerteonlinetoolkits/commit/8fec6602e80c5d35903d65e65b65b794297d8e90
- https://www.xerte.org.uk/index.php/en/news/blog/80-news/364-xerte-3-14-and-3-15-important-security-update
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.