CVE-2026-34413
published 2026-04-22CVE-2026-34413: Xerte Online Toolkits versions 3.15 and earlier contain a missing authentication vulnerability in the elFinder connector endpoint at…
PriorityP275high8.6CVSS 3.1
AVNACLPRNUINSUCLIHAL
EXPLOIT
EPSS
2.80%
84.7th percentile
Xerte Online Toolkits versions 3.15 and earlier contain a missing authentication vulnerability in the elFinder connector endpoint at /editor/elfinder/php/connector.php where an HTTP redirect to unauthenticated callers does not call exit() or die(), allowing PHP execution to continue and process the full request server-side. Unauthenticated attackers can perform file operations on project media directories including creating directories, uploading files, renaming files, duplicating files, overwriting files, and deleting files, which can be chained with path traversal and extension blocklist vulnerabilities to achieve remote code execution and arbitrary file read.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| thexerteproject | xerteonlinetoolkits | <= 3.15.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
path/editor/elfinder/php/connector.php?uploadDir={{webroot}}USER-FILES/{{pid}}--Nottingham/&uploadURL={{BaseURL}}/USER-FILES/{{pid}}--Nottingham/&cmd=mkdir&name={{rand}}{{pid}}&target=l1_Lw
path/editor/elfinder/php/connector.php?uploadDir={{webroot}}USER-FILES/{{pid}}--Nottingham/&uploadURL={{BaseURL}}/USER-FILES/{{pid}}--Nottingham/&cmd=rename&target={{fileid}}&name={{rand}}{{pid}}/../../../../{{rand}}{{pid}}.php4
hashc8c605999f3d8352d7bb792cf3fdb25b
- →Unauthenticated GET/POST requests to /editor/elfinder/php/connector.php returning HTTP 302 with body containing 'Invalid upload location' indicate auth bypass exploitation — the redirect does not call exit()/die() so PHP execution continues. ↗
- →Detect path traversal in the 'name' parameter of connector.php rename commands: sequences like '../../../../' combined with a .php4 (or other non-blocklisted PHP extension) filename indicate exploitation of the extension blocklist bypass.
- →Monitor for multipart/form-data POSTs to /editor/elfinder/php/connector.php with cmd=upload from unauthenticated sessions (no session cookie / auth header), especially uploading .txt files later renamed via path traversal to executable extensions.
- →Alert on HTTP 302 responses from /editor/elfinder/php/connector.php that still contain JSON body fields 'added', 'hash', and 'name' — this confirms the auth bypass is active and file operations are being processed.
- →The Metasploit module for this CVE targets Xerte versions ≤ 3.15; detect exploitation attempts by correlating unauthenticated connector.php access with subsequent requests to USER-FILES directories for newly created .php4 (or similar) files. ↗
- →The multipart boundary string '----xerteboundary' in POST bodies to connector.php is a static indicator used by known exploit tooling (Nuclei PoC) for this CVE.
- ·The vulnerable endpoint returns HTTP 302 (redirect) even when processing attacker requests successfully — defenders must not rely solely on non-200 status codes to conclude requests were blocked; inspect response body for JSON file operation results.
- ·The extension blocklist is bypassable; blocking .php alone is insufficient. Alternate PHP-executable extensions (e.g., .php4) can be used to achieve RCE via path traversal rename. ↗
- ·No patched release version exists as of the Metasploit module's writing; the vulnerable commit is identified by hash rather than a version tag. ↗
CVSS provenance
nvdv3.18.6HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
nvdv4.08.8HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-g35c-vgp7-f8qm: Xerte Online Toolkits versions 3
ghsa_unreviewed·2026-04-22
CVE-2026-34413 [HIGH] CWE-497 GHSA-g35c-vgp7-f8qm: Xerte Online Toolkits versions 3
Xerte Online Toolkits versions 3.15 and earlier contain a missing authentication vulnerability in the elFinder connector endpoint at /editor/elfinder/php/connector.php where an HTTP redirect to unauthenticated callers does not call exit() or die(), allowing PHP execution to continue and process the full request server-side. Unauthenticated attackers can perform file operations on project media directories including creating directories, uploading files, renaming files, duplicating files, overwriting files, and deleting files, which can be chained with path traversal and extension blocklist vulnerabilities to achieve remote code execution and arbitrary file read.
VulDB
thexerteproject xerteonlinetoolkits up to 3.13.0/3.14.0/3.15.0 elFinder Connector Endpoint connector.php exposure of sensitive system information to an unauthorized control sphere (ID 1527)
vuldb·2026-04-22·CVSS 8.8
CVE-2026-34413 [HIGH] thexerteproject xerteonlinetoolkits up to 3.13.0/3.14.0/3.15.0 elFinder Connector Endpoint connector.php exposure of sensitive system information to an unauthorized control sphere (ID 1527)
A vulnerability classified as critical was found in thexerteproject xerteonlinetoolkits up to 3.13.0/3.14.0/3.15.0. This issue affects some unknown processing of the file /editor/elfinder/php/connector.php of the component elFinder Connector Endpoint. Executing a manipulation can lead to exposure of sensitive system information to an unauthorized control sphere.
The identification of this vulnerability is CVE-2026-34413. The attack may be launched remotely. There is no exploit available.
Upgrading the affected component is advised.
No detection rules found.
Nuclei
Xerte Online Toolkits <= 3.15 - Remote Code Execution
nuclei·CVSS 8.6
CVE-2026-34413 [HIGH] Xerte Online Toolkits <= 3.15 - Remote Code Execution
Xerte Online Toolkits ([^'
internal: true
matchers:
- type: dsl
dsl:
- 'status_code == 200'
- 'contains(body, "Welcome to Xerte Online Toolkits Installer")'
condition: and
internal: true
- raw:
- |
GET /editor/elfinder/php/connector.php HTTP/1.1
Host: {{Hostname}}
extractors:
- type: regex
name: authbypass
part: body
regex:
- "Invalid upload location"
internal: true
matchers:
- type: dsl
dsl:
- 'status_code == 302'
- 'contains(body, "Invalid upload location")'
condition: and
internal: true
- raw:
- |
GET /editor/elfinder/php/connector.php?uploadDir={{webroot}}USER-FILES/{{pid}}--Nottingham/&uploadURL={{BaseURL}}/USER-FILES/{{pid}}--Nottingham/&cmd=mkdir&name={{rand}}{{pid}}&target=l1_Lw HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- 'status_code == 302'
- 'contains_all(body
Metasploit
Xerte Online Toolkits Arbitrary File Upload - Unauthenticated Media Upload
metasploit
CVE-2026-34413 Xerte Online Toolkits Arbitrary File Upload - Unauthenticated Media Upload
Xerte Online Toolkits Arbitrary File Upload - Unauthenticated Media Upload
This module bypasses authentication failure, extension blacklist, and path traversal vulnerabilities in the /editor/elfinder/php/connector.php endpoint to upload and execute a shell in Xerte Online Toolkits versions 3.15 (commit 4e40f8030a2e3267267db7ce03e0ff57270be6f5 as there's no patch versions used) and earlier.
https://github.com/bootstrapbool/xerteonlinetoolkits-rcehttps://github.com/thexerteproject/xerteonlinetoolkits/commit/02661be88cc369325ea01b508086bde7fbfec805https://github.com/thexerteproject/xerteonlinetoolkits/commit/17e4f945fe6a3400fa88c01eda18c1075ee4a212https://github.com/thexerteproject/xerteonlinetoolkits/commit/507d55c5e91bf9310b5b1c7fad8aebfef902ad23https://github.com/thexerteproject/xerteonlinetoolkits/issues/1527https://www.vulncheck.com/advisories/xerte-online-toolkits-missing-authentication-via-connector-phphttps://xerte.org.uk/index.php/en/downloads-1/category/3-xerte-online-toolkitshttps://xerte.org.uk/xertetoolkits_3.15_ChangeLog.html
2026-04-22
Published