cbcvebase.
CVE-2026-34413
published 2026-04-22

CVE-2026-34413: Xerte Online Toolkits versions 3.15 and earlier contain a missing authentication vulnerability in the elFinder connector endpoint at…

PriorityP275high8.6CVSS 3.1
AVNACLPRNUINSUCLIHAL
EXPLOIT
EPSS
2.80%
84.7th percentile
Xerte Online Toolkits versions 3.15 and earlier contain a missing authentication vulnerability in the elFinder connector endpoint at /editor/elfinder/php/connector.php where an HTTP redirect to unauthenticated callers does not call exit() or die(), allowing PHP execution to continue and process the full request server-side. Unauthenticated attackers can perform file operations on project media directories including creating directories, uploading files, renaming files, duplicating files, overwriting files, and deleting files, which can be chained with path traversal and extension blocklist vulnerabilities to achieve remote code execution and arbitrary file read.

Affected

1 ranges
VendorProductVersion rangeFixed in
thexerteprojectxerteonlinetoolkits<= 3.15.0

Detection & IOCsextracted from sources · hover to see the quote

path/editor/elfinder/php/connector.php
path/editor/elfinder/php/connector.php?uploadDir={{webroot}}USER-FILES/{{pid}}--Nottingham/&uploadURL={{BaseURL}}/USER-FILES/{{pid}}--Nottingham/&cmd=mkdir&name={{rand}}{{pid}}&target=l1_Lw
path/editor/elfinder/php/connector.php?uploadDir={{webroot}}USER-FILES/{{pid}}--Nottingham/&uploadURL={{BaseURL}}/USER-FILES/{{pid}}--Nottingham/&cmd=rename&target={{fileid}}&name={{rand}}{{pid}}/../../../../{{rand}}{{pid}}.php4
hashc8c605999f3d8352d7bb792cf3fdb25b
hash4e40f8030a2e3267267db7ce03e0ff57270be6f5
  • Unauthenticated GET/POST requests to /editor/elfinder/php/connector.php returning HTTP 302 with body containing 'Invalid upload location' indicate auth bypass exploitation — the redirect does not call exit()/die() so PHP execution continues.
  • Detect path traversal in the 'name' parameter of connector.php rename commands: sequences like '../../../../' combined with a .php4 (or other non-blocklisted PHP extension) filename indicate exploitation of the extension blocklist bypass.
  • Monitor for multipart/form-data POSTs to /editor/elfinder/php/connector.php with cmd=upload from unauthenticated sessions (no session cookie / auth header), especially uploading .txt files later renamed via path traversal to executable extensions.
  • Alert on HTTP 302 responses from /editor/elfinder/php/connector.php that still contain JSON body fields 'added', 'hash', and 'name' — this confirms the auth bypass is active and file operations are being processed.
  • The Metasploit module for this CVE targets Xerte versions ≤ 3.15; detect exploitation attempts by correlating unauthenticated connector.php access with subsequent requests to USER-FILES directories for newly created .php4 (or similar) files.
  • The multipart boundary string '----xerteboundary' in POST bodies to connector.php is a static indicator used by known exploit tooling (Nuclei PoC) for this CVE.
  • ·The vulnerable endpoint returns HTTP 302 (redirect) even when processing attacker requests successfully — defenders must not rely solely on non-200 status codes to conclude requests were blocked; inspect response body for JSON file operation results.
  • ·The extension blocklist is bypassable; blocking .php alone is insufficient. Alternate PHP-executable extensions (e.g., .php4) can be used to achieve RCE via path traversal rename.
  • ·No patched release version exists as of the Metasploit module's writing; the vulnerable commit is identified by hash rather than a version tag.

CVSS provenance

nvdv3.18.6HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
nvdv4.08.8HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.