CVE-2026-4169
Awaiting Analysis Awaiting Analysis - Queue
Cross-Site Scripting in TCExam XML Export Component

Publication date: 2026-03-16

Last updated on: 2026-03-16

Assigner: VulDB

Description
A security flaw has been discovered in Tecnick TCExam up to 16.6.0. Affected is the function F_xml_export_users of the file admin/code/tce_xml_users.php of the component XML Export. Performing a manipulation results in cross site scripting. Remote exploitation of the attack is possible. There are still doubts about whether this vulnerability truly exists. Upgrading to version 16.6.1 is able to address this issue. The patch is named 899b5b2fa09edfe16043f07265e44fe2022b7f12. It is suggested to upgrade the affected component. When the vendor was informed about another security issue, he identified and fixed this flaw during analysis. He doubts the impact of this: "However, this is difficult to justify as security issue. It requires to be administrator to both create and consume the exploit. Administrators can do pretty much anything in the platform, so I don't see the point of this from a security perspective." This is reflected by the CVSS vector.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-16
Last Modified
2026-03-16
Generated
2026-05-07
AI Q&A
2026-03-16
EPSS Evaluated
2026-05-05
NVD
CVE-2026-4169
EUVD
EUVD-2026-12213
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
tecnick tcexam to 16.6.0 (inc)
tecnik tcexam to 16.6.0 (inc)
tecnik tcexam 16.6.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability is a security flaw found in Tecnick TCExam versions up to 16.6.0, specifically in the function F_xml_export_users within the XML Export component. It allows for cross-site scripting (XSS) through manipulation of this function. Remote exploitation is possible, but there is uncertainty about the actual existence and impact of this vulnerability.

The vendor has noted that exploitation requires administrator privileges both to create and to consume the exploit, which limits its practical security impact since administrators already have broad control over the platform.

Upgrading to version 16.6.1 addresses this issue.


How can this vulnerability impact me? :

The vulnerability could allow an attacker with administrator privileges to perform cross-site scripting attacks via the XML export users function. However, since exploitation requires administrator access, the practical impact is limited because administrators already have extensive control over the system.

The CVSS scores reflect a low to moderate severity, indicating limited impact on confidentiality and availability, but some potential for integrity issues.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

I don't know


How can this vulnerability be detected on my network or system? Can you suggest some commands?

I don't know


What immediate steps should I take to mitigate this vulnerability?

The suggested immediate step to mitigate this vulnerability is to upgrade Tecnick TCExam to version 16.6.1, which addresses the issue.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart