Xerte Online Toolkits File Upload RCE via elfinder Connector

Advisories

Xerte Online Toolkits File Upload RCE via elfinder Connector

severity: critical
date: 4/22/2026
Affecting: Xerte Online Toolkits v3.15.0 < commit 02661be, 3.14.0 < commit 17e4f94, 3.13.0< 507d55c
CVE: CVE-2026-34415
CWE: CWE-184 Incomplete List of Disallowed Inputs
CVSS: 9.3
CVSS V4 Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References: v3.15 Change Log
Download Page
GitHub Issue
v3.15 Patch Commit
v3.14 Patch Commit
v3.13 Patch Commit
Credit: bootstrapbool
Description: Xerte Online Toolkits versions 3.15 and earlier contain an incomplete input validation vulnerability in the elFinder connector endpoint that fails to block PHP-executable extensions .php4 due to an incorrect regex pattern. Unauthenticated attackers can exploit this flaw combined with authentication bypass and path traversal vulnerabilities to upload malicious PHP code, rename it with a .php4 extension, and execute arbitrary operating system commands on the server.

Ready to get Started?

Explore VulnCheck, a next-generation Cyber Threat Intelligence platform, which provides exploit and vulnerability intelligence to help you prioritize and remediate vulnerabilities that matter.

Vulnerability Prioritization
Prioritize vulnerabilities that matter based on the threat landscape and defer vulnerabilities that don't.
Early Warning System
Real-time alerting of changes in the vulnerability landscape so that you can take action before the attacks start.

Schedule a Demo