CVE-2026-34414
published 2026-04-22CVE-2026-34414: Xerte Online Toolkits versions 3.15 and earlier contain a relative path traversal vulnerability in the elFinder connector endpoint at…
PriorityP355high7.1CVSS 3.1
AVNACLPRLUINSUCLIHAN
EXPLOIT
EPSS
2.83%
84.8th percentile
Xerte Online Toolkits versions 3.15 and earlier contain a relative path traversal vulnerability in the elFinder connector endpoint at /editor/elfinder/php/connector.php where the name parameter in rename commands is not sanitized for path traversal sequences. Attackers can supply a name value containing directory traversal sequences to move files from project media directories to arbitrary locations on the filesystem, potentially overwriting application files, achieving stored cross-site scripting, or combining with other vulnerabilities to achieve unauthenticated remote code execution by moving PHP code files to the application root.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| thexerteproject | xerteonlinetoolkits | <= 3.15.0 | — |
CVSS provenance
nvdv3.17.1HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N
nvdv4.07.1HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-qmm4-q4hj-r5cm: Xerte Online Toolkits versions 3
ghsa_unreviewed·2026-04-22
CVE-2026-34414 [HIGH] CWE-22 GHSA-qmm4-q4hj-r5cm: Xerte Online Toolkits versions 3
Xerte Online Toolkits versions 3.15 and earlier contain a relative path traversal vulnerability in the elFinder connector endpoint at /editor/elfinder/php/connector.php where the name parameter in rename commands is not sanitized for path traversal sequences. Attackers can supply a name value containing directory traversal sequences to move files from project media directories to arbitrary locations on the filesystem, potentially overwriting application files, achieving stored cross-site scripting, or combining with other vulnerabilities to achieve unauthenticated remote code execution by moving PHP code files to the application root.
VulDB
thexerteproject xerteonlinetoolkits up to 3.13.0/3.14.0/3.15.0 elFinder Connector Endpoint connector.php rename Name path traversal (ID 1527 / EUVD-2026-25068)
vuldb·2026-04-22·CVSS 7.1
CVE-2026-34414 [HIGH] thexerteproject xerteonlinetoolkits up to 3.13.0/3.14.0/3.15.0 elFinder Connector Endpoint connector.php rename Name path traversal (ID 1527 / EUVD-2026-25068)
A vulnerability has been found in thexerteproject xerteonlinetoolkits up to 3.13.0/3.14.0/3.15.0 and classified as critical. The impacted element is the function rename of the file /editor/elfinder/php/connector.php of the component elFinder Connector Endpoint. This manipulation of the argument Name causes path traversal.
This vulnerability is tracked as CVE-2026-34414. The attack is possible to be carried out remotely. No exploit exists.
The affected component should be upgraded.
No detection rules found.
https://github.com/bootstrapbool/xerteonlinetoolkits-rcehttps://github.com/thexerteproject/xerteonlinetoolkits/commit/02661be88cc369325ea01b508086bde7fbfec805https://github.com/thexerteproject/xerteonlinetoolkits/commit/17e4f945fe6a3400fa88c01eda18c1075ee4a212https://github.com/thexerteproject/xerteonlinetoolkits/commit/507d55c5e91bf9310b5b1c7fad8aebfef902ad23https://github.com/thexerteproject/xerteonlinetoolkits/issues/1527https://www.vulncheck.com/advisories/xerte-online-toolkits-path-traversal-via-connector-phphttps://xerte.org.uk/index.php/en/downloads-1/category/3-xerte-online-toolkitshttps://xerte.org.uk/xertetoolkits_3.15_ChangeLog.html
2026-04-22
Published