Description
A security flaw has been discovered in Tecnick TCExam up to 16.6.0. Affected is the function F_xml_export_users of the file admin/code/tce_xml_users.php of the component XML Export. Performing a manipulation results in cross site scripting. Remote exploitation of the attack is possible. There are still doubts about whether this vulnerability truly exists. Upgrading to version 16.6.1 is able to address this issue. The patch is named 899b5b2fa09edfe16043f07265e44fe2022b7f12. It is suggested to upgrade the affected component. When the vendor was informed about another security issue, he identified and fixed this flaw during analysis. He doubts the impact of this: "However, this is difficult to justify as security issue. It requires to be administrator to both create and consume the exploit. Administrators can do pretty much anything in the platform, so I don't see the point of this from a security perspective." This is reflected by the CVSS vector.
Published: 2026-03-15
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross Site Scripting
Action: Patch
AI Analysis

Impact

The vulnerability is a cross‑site scripting flaw in the XML export function (F_xml_export_users) of Tecnick TCExam. An attacker who can manipulate the XML export payload can inject malicious script that will be executed in the context of an administrator browsing the exported file. The flaw is tied to CWE‑79 and CWE‑94, indicating input validation and potentially code injection issues. While the vendor has expressed uncertainty about the real impact, the symptom allows arbitrary script execution when the exploit is executed.

Affected Systems

Affected versions are all releases of Tecnick TCExam up to, and including, 16.6.0. The control file involved is admin/code/tce_xml_users.php. Version 16.6.1 contains the fix, referenced by the commit hash 899b5b2fa09edfe16043f07265e44fe2022b7f12. The patch is included in the 16.6.1 release on the vendor’s site and GitHub.

Risk and Exploitability

CVSS scores place the severity at 4.8, a moderate rating, and the EPSS score is below 1 %, indicating that exploit attempts are expected to be rare. The vulnerability is not catalogued in the CISA KEV list, which further suggests low exploitation likelihood. Remote exploitation is theoretically possible but requires administrative access to create an export and then consume it, meaning that an attacker with such privileges can already accomplish most control functions. In effect, the risk to a system lacking privileged user compromise is limited, and the practical threat is moderate.

Generated by OpenCVE AI on March 21, 2026 at 14:40 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Tecnick TCExam 16.6.1 or newer using the official release or apply the commit 899b5b2fa09edfe16043f07265e44fe2022b7f12 to the affected file. If an upgrade is not immediately possible, disable the XML export function for non‑trusted users until a fix is available. Verify that exported XML contents are properly escaped and monitor logs for signs of unexpected script execution.

Generated by OpenCVE AI on March 21, 2026 at 14:40 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 16 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 15 Mar 2026 06:15:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in Tecnick TCExam up to 16.6.0. Affected is the function F_xml_export_users of the file admin/code/tce_xml_users.php of the component XML Export. Performing a manipulation results in cross site scripting. Remote exploitation of the attack is possible. There are still doubts about whether this vulnerability truly exists. Upgrading to version 16.6.1 is able to address this issue. The patch is named 899b5b2fa09edfe16043f07265e44fe2022b7f12. It is suggested to upgrade the affected component. When the vendor was informed about another security issue, he identified and fixed this flaw during analysis. He doubts the impact of this: "However, this is difficult to justify as security issue. It requires to be administrator to both create and consume the exploit. Administrators can do pretty much anything in the platform, so I don't see the point of this from a security perspective." This is reflected by the CVSS vector.
Title Tecnick TCExam XML Export tce_xml_users.php F_xml_export_users cross site scripting
First Time appeared Tecnick
Tecnick tcexam
Weaknesses CWE-79
CWE-94
CPEs cpe:2.3:a:tecnick:tcexam:*:*:*:*:*:*:*:*
Vendors & Products Tecnick
Tecnick tcexam
References
Metrics cvssV2_0

{'score': 3.3, 'vector': 'AV:N/AC:L/Au:M/C:N/I:P/A:N/E:ND/RL:OF/RC:C'}

cvssV3_0

{'score': 2.4, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:X/RL:O/RC:C'}

cvssV3_1

{'score': 2.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:X/RL:O/RC:C'}

cvssV4_0

{'score': 4.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X'}

Subscriptions

Tecnick Tcexam
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-03-16T15:43:55.190Z

Reserved: 2026-03-14T12:47:26.433Z

Link: CVE-2026-4169

cve-icon Vulnrichment

Updated: 2026-03-16T15:43:47.713Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-16T14:19:56.593

Modified: 2026-03-16T14:53:07.390

Link: CVE-2026-4169

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T14:01:59Z

Weaknesses