Cross Site Scripting Vulnerability in Tecnick TCExam XML Export Component
CVE-2026-4169

4.8MEDIUM

Key Information:

Vendor

Tecnick

Status
Tcexam
Vendor
CVE Published:
15 March 2026

What is CVE-2026-4169?

A security flaw was identified in the XML Export feature of Tecnick TCExam, specifically in the F_xml_export_users function within the file admin/code/tce_xml_users.php. This vulnerability allows attackers to execute scripts in the context of a user's session, potentially leading to unauthorized access or data manipulation. The exploit requires administrative permissions to both create and exploit the vulnerability, raising questions about its overall impact. To mitigate this issue, users are strongly advised to upgrade to version 16.6.1, which includes a patch (named 899b5b2fa09edfe16043f07265e44fe2022b7f12) that addresses this security concern.

Affected Version(s)

TCExam 16.0

TCExam 16.1

TCExam 16.2

References

https://vuldb.com/?id.351076
vdb-entrytechnical-description
https://vuldb.com/?ctiid.351076
signaturepermissions-required
https://github.com/tecnickcom/tcexam/commit/899b5b2fa09ed...
patch

CVSS V4

Score:
4.8
Severity:
MEDIUM
Confidentiality:
None
Integrity:
Low
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

VulDB
.