CVE-2026-12116
Received Received - Intake

Remote Code Execution in Xerte Online Tools

Vulnerability report for CVE-2026-12116, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-09

Last updated on: 2026-07-09

Assigner: CERT/CC

Description

A vulnerability in the Xerte Online Tools allows for RCE through the antivirus binary path in the tools server settings, which can be changed to a PHP interpreter, allowing an attacker to upload PHP data that will then be executed.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-09
Last Modified
2026-07-09
Generated
2026-07-09
AI Q&A
2026-07-09
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
xerte_project xerte_online_toolkits From 3.14 (inc)
xerte_project xerte_online_toolkits From 3.15 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability in the Xerte Online Tools allows an attacker to perform remote code execution (RCE) by manipulating the antivirus binary path in the server settings.

Specifically, the antivirus binary path can be changed to a PHP interpreter, which enables the attacker to upload PHP data that will then be executed on the server.

Impact Analysis

This vulnerability can lead to a complete compromise of the server running Xerte Online Tools.

By allowing remote code execution, an attacker can execute arbitrary PHP code on the server, potentially gaining unauthorized access, stealing data, or disrupting services.

Mitigation Strategies

To mitigate the vulnerability in Xerte Online Tools (CVE-2026-12116), immediate steps include restricting access to the antivirus configuration settings by moving them out of the management.php page to reduce the risk of unauthorized changes.

Additionally, ensure that the antivirus configuration cannot be manipulated to change the antivirus executable path to a PHP interpreter or any other executable that could lead to remote code execution.

Applying the fix from issue #1532 and the related changes that provide fallback antivirus configurations (such as disabling ClamAV checks if no custom config is present) can help prevent exploitation.

Compliance Impact

The vulnerability in Xerte Online Tools allows remote code execution by manipulating the antivirus binary path to execute arbitrary PHP code on the server. This could lead to unauthorized access, data breaches, or server compromise.

Such unauthorized access and potential data breaches can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and breaches.

However, the provided information does not explicitly discuss the direct impact on compliance or mention any regulatory assessments.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12116. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart