VU#734812: Xerte Online Toolkit contains an authentication bypass that allows for RCE
Two critical vulnerabilities have been identified in Xerte Online Toolkits, an open-source e-learning authoring tool. The first vulnerability, CVE-2026-14261, allows unauthenticated attackers to gain administrative access. This is achieved by exploiting the persistent /setup/ directory after installation. Attackers can reconfigure the application to connect to a remote database they control. Subsequently, an attacker with administrative privileges can exploit CVE-2026-12116. This second vulnerability involves an editable antivirus binary path within the tool's settings. By redirecting this path to a PHP interpreter, uploaded files can be executed as PHP code. This leads to remote code execution on the affected server. The impact of these vulnerabilities includes persistent access, data exfiltration, and potential supply chain attacks. Xerte Online Toolkits v3.15.5 or v3.14.6 includes fixes for these issues. Users should manually remove the /setup/ folder and upgrade to the patched versions. The fixes involve automatically removing the /setup/ directory and securing sensitive configuration files.