CVE-2026-4169
published 2026-03-16CVE-2026-4169: A security flaw has been discovered in Tecnick TCExam up to 16.6.0. Affected is the function F_xml_export_users of the file admin/code/tce_xml_users.php of the…
PriorityP410low2.4CVSS 3.1
AVNACLPRHUIRSUCNILAN
EPSS
0.20%
10.2th percentile
A security flaw has been discovered in Tecnick TCExam up to 16.6.0. Affected is the function F_xml_export_users of the file admin/code/tce_xml_users.php of the component XML Export. Performing a manipulation results in cross site scripting. Remote exploitation of the attack is possible. There are still doubts about whether this vulnerability truly exists. Upgrading to version 16.6.1 is able to address this issue. The patch is named 899b5b2fa09edfe16043f07265e44fe2022b7f12. It is suggested to upgrade the affected component. When the vendor was informed about another security issue, he identified and fixed this flaw during analysis. He doubts the impact of this: "However, this is difficult to justify as security issue. It requires to be administrator to both create and consume the exploit. Administrators can do pretty much anything in the platform, so I don't see the point of this from a security perspective." This is reflected by the CVSS vector.
Affected
8 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| tecnick | tcexam | — | — |
| tecnick | tcexam | — | — |
| tecnick | tcexam | — | — |
| tecnick | tcexam | — | — |
| tecnick | tcexam | — | — |
| tecnick | tcexam | — | — |
| tecnick | tcexam | — | — |
| wwbn | avideo | 0 – 26.0 | — |
CVSS provenance
nvdv3.12.4LOWCVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N
nvdv4.04.8MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.03.3LOWAV:N/AC:L/Au:M/C:N/I:P/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
AVideo has a SSRF Protection Bypass via IPv4-Mapped IPv6 Addresses in Unauthenticated LiveLinks Proxy
ghsa·2026-03-20
CVE-2026-33480 [HIGH] CWE-918 AVideo has a SSRF Protection Bypass via IPv4-Mapped IPv6 Addresses in Unauthenticated LiveLinks Proxy
AVideo has a SSRF Protection Bypass via IPv4-Mapped IPv6 Addresses in Unauthenticated LiveLinks Proxy
## Summary
The `isSSRFSafeURL()` function in AVideo can be bypassed using IPv4-mapped IPv6 addresses (`::ffff:x.x.x.x`). The unauthenticated `plugin/LiveLinks/proxy.php` endpoint uses this function to validate URLs before fetching them with curl, but the IPv4-mapped IPv6 prefix passes all checks, allowing an attacker to access cloud metadata services, internal networks, and localhost services.
## Details
The `isSSRFSafeURL()` function in `objects/functions.php` (lines 4021-4169) implements SSRF protection with two separate check paths:
1. **IPv4 checks** (lines 4101-4134): Regex patterns matching dotted-decimal notation (`/^10\./`, `/^172\./`, `/^192\.168\./`, `/^127\./`, `/^169\.254\
GHSA
GHSA-rgqq-mw78-fj3h: A security flaw has been discovered in Tecnick TCExam up to 16
ghsa_unreviewed·2026-03-16
CVE-2026-4169 [MEDIUM] CWE-79 GHSA-rgqq-mw78-fj3h: A security flaw has been discovered in Tecnick TCExam up to 16
A security flaw has been discovered in Tecnick TCExam up to 16.6.0. Affected is the function F_xml_export_users of the file admin/code/tce_xml_users.php of the component XML Export. Performing a manipulation results in cross site scripting. Remote exploitation of the attack is possible. There are still doubts about whether this vulnerability truly exists. Upgrading to version 16.6.1 is able to address this issue. The patch is named 899b5b2fa09edfe16043f07265e44fe2022b7f12. It is suggested to upgrade the affected component. When the vendor was informed about another security issue, he identified and fixed this flaw during analysis. He doubts the impact of this: "However, this is difficult to justify as security issue. It requires to be administrator to both create and consume the exploit. A
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-03-16
Published