CVE-2026-4168 - Vulnerability Details

Description

A vulnerability was identified in Tecnick TCExam 16.5.0. This impacts an unknown function of the file /admin/code/tce_edit_group.php of the component Group Handler. Such manipulation of the argument Name leads to cross site scripting. The attack may be launched remotely. The exploit is publicly available and might be used. The presence of this vulnerability remains uncertain at this time. The affected component should be upgraded. The vendor explained: "I was not able to reproduce the same exploit as the TCExam version was already advanced in the meanwhile." Therefore, it can be assumed that this issue got fixed in a later release.

Published: 2026-03-15

Score: 4.8 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A stored cross‑site scripting flaw exists in the Group Handler of Tecnick TCExam 16.5.0, where an attacker can inject malicious JavaScript by manipulating the Name parameter in the /admin/code/tce_edit_group.php script. Because the application stores the injection without proper encoding, scripts are executed in the browsers of users who view the affected group data. Attackers could steal session cookies, deface content, or carry out further phishing attacks.

Affected Systems

The vulnerability impacts TCExam 16.5.0 released by Tecnick. No other versions are explicitly listed, and the vendor states that newer releases contain a fix, so users should verify that their installation is updated beyond 16.5.0.

Risk and Exploitability

The CVSS base score is 4.8, indicating moderate severity, and the EPSS score is below 1 percent, suggesting low exploitation likelihood. The flaw is not listed in the CISA KEV catalog. Attackers would need remote access to the web interface and a crafted request to the group editing endpoint; the vulnerability is exploitable through standard HTTP calls.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Tecnick

TCExam

affected

Version	Status	Constraints
`16.5.0`	affected	—

No data.

Vendor Product Confidence Versions

Tecnick

Tcexam

95%

Version	Status	Scheme	Platform
`16.5.0`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade TCExam to the latest release that removes the XSS issue
Verify that the Name field is properly sanitized or encoded, and that the application’s input validation routines are active
Monitor web application logs for unexpected POST requests to /admin/code/tce_edit_group.php

Generated by OpenCVE AI on March 21, 2026 at 14:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Low

Authentication Multiple

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

This CVE is not in the KEV list.

The EPSS score is 0.00032.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/ahmadmarz10-hub/CVEsMarz/blob/main/CVE%20Stored%20XSS.md
https://github.com/tecnickcom/tcexam/tags
https://vuldb.com/?ctiid.351075
https://vuldb.com/?id.351075
https://vuldb.com/?submit.769826

History

Mon, 16 Mar 2026 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Sun, 15 Mar 2026 06:15:00 +0000

Type	Values Removed	Values Added
Description		A vulnerability was identified in Tecnick TCExam 16.5.0. This impacts an unknown function of the file /admin/code/tce_edit_group.php of the component Group Handler. Such manipulation of the argument Name leads to cross site scripting. The attack may be launched remotely. The exploit is publicly available and might be used. The presence of this vulnerability remains uncertain at this time. The affected component should be upgraded. The vendor explained: "I was not able to reproduce the same exploit as the TCExam version was already advanced in the meanwhile." Therefore, it can be assumed that this issue got fixed in a later release.
Title		Tecnick TCExam Group tce_edit_group.php cross site scripting
First Time appeared		Tecnick Tecnick tcexam
Weaknesses		CWE-79 CWE-94
CPEs		cpe:2.3:a:tecnick:tcexam::::::::
Vendors & Products		Tecnick Tecnick tcexam
References		https://github.com/ahmadmarz10-hub/CVEsMarz/blob/main/CVE%20Stored%20XSS.md https://github.com/tecnickcom/tcexam/tags https://vuldb.com/?ctiid.351075 https://vuldb.com/?id.351075 https://vuldb.com/?submit.769826
Metrics		cvssV2_0 `{'score': 3.3, 'vector': 'AV:N/AC:L/Au:M/C:N/I:P/A:N/E:POC/RL:OF/RC:C'}` cvssV3_0 `{'score': 2.4, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C'}` cvssV3_1 `{'score': 2.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C'}` cvssV4_0 `{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Tecnick Tcexam

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-03-15T06:02:07.600Z

Updated: 2026-03-16T15:45:07.014Z

Reserved: 2026-03-14T12:47:23.328Z

Link: CVE-2026-4168

Vulnrichment

Updated: 2026-03-16T15:45:01.471Z

NVD

Status : Awaiting Analysis

Published: 2026-03-16T14:19:56.350

Modified: 2026-03-16T14:53:07.390

Link: CVE-2026-4168

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-03-23T14:02:00Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Attack Requirements None

User Interaction Passive

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact None

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact None

Integrity Impact Low

Availability Impact None

User Interaction Required

Access Vector Network

Access Complexity Low

Authentication Multiple

Confidentiality Impact None

Integrity Impact Partial

Availability Impact None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object