Xerte Online Tools Antivirus Path Remote Code Execution Vulnerability
A vulnerability in the Xerte Online Tools allows for RCE through the antivirus binary path in the tools server settings, which can be changed to a PHP interpreter, allowing an attacker to upload PHP data that will then be executed.
Quick answer
Xerte Project Xerte Online Tools should be reviewed and updated if it matches the affected versions. The recommended fix is to apply the vendor-supported patched version or the mitigation steps below, then retest the public website with Fixnx.
Who is affected
Affected versions
- Xerte Online Tools installations where tools server settings can execute PHP through antivirus path
Fixed versions
- Apply the latest vendor-supported patched release and lock server settings
How to fix it
Xerte Online Tools can allow remote code execution through the antivirus binary path in tools server settings. Update Xerte, restrict server settings access, and verify that uploaded PHP data cannot be executed through the configured antivirus path. Treat exposed administrative settings as possible full application compromise.
- Inventory Xerte Online Tools deployments and identify who can modify tools server settings.
- Apply the latest vendor-supported patched release for Xerte Online Tools.
- Restrict administrative settings to trusted administrators and MFA-protected access.
- Ensure the antivirus binary path is fixed to an approved executable and cannot be changed to a PHP interpreter by untrusted users.
- Review uploaded files, PHP execution paths, configuration changes, and admin users for compromise indicators.
- Rotate database credentials, administrator passwords, and integration secrets if suspicious execution is found.
- Block PHP execution in upload directories and remove malicious files before returning to service.
Scan now. Google sign-in is only needed to unlock fix guidance.
Verify the fix
- Confirm Xerte is patched for CVE-2026-12116.
- Validate the antivirus path cannot be abused to execute uploaded PHP data.
- Review web server and Xerte logs for suspicious settings changes and file execution.
- Test content upload, antivirus scanning, and admin settings workflows after remediation.
- Run a Fixnx scan and confirm no public Xerte admin or setup exposure remains.
Related categories
Trusted references
FAQ
What is affected by CVE-2026-12116?
Xerte Project Xerte Online Tools versions listed as affected should be reviewed: Xerte Online Tools installations where tools server settings can execute PHP through antivirus path.
What should I fix first?
Start with internet-facing sites, admin panels, login flows, plugins, themes, modules, packages, and systems that process user-controlled input or sensitive data.
How do I confirm the fix worked?
Apply the patched version or mitigation, clear caches where relevant, retest the affected workflow, and run a new Fixnx scan to verify public website exposure signals.
Why can this risk appear in multiple categories?
A vulnerability can belong to more than one platform or ecosystem. Fixnx keeps one canonical risk page while also listing it in every relevant category.
