CVE-2026-34415
published 2026-04-22CVE-2026-34415: Xerte Online Toolkits versions 3.15 and earlier contain an incomplete input validation vulnerability in the elFinder connector endpoint that fails to block…
PriorityP180critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
3.57%
87.9th percentile
Xerte Online Toolkits versions 3.15 and earlier contain an incomplete input validation vulnerability in the elFinder connector endpoint that fails to block PHP-executable extensions .php4 due to an incorrect regex pattern. Unauthenticated attackers can exploit this flaw combined with authentication bypass and path traversal vulnerabilities to upload malicious PHP code, rename it with a .php4 extension, and execute arbitrary operating system commands on the server.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| thexerteproject | xerteonlinetoolkits | <= 3.15.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor for unauthenticated POST requests to /editor/elfinder/php/connector.php, particularly those uploading files with .php4 extensions or containing path traversal sequences in filenames/parameters. ↗
- →Alert on web server execution of files with .php4 extension, especially those uploaded via the elFinder connector endpoint, as this is the bypass technique used to evade the blacklist regex. ↗
- →Detect rename operations (elFinder 'rename' command) on the connector.php endpoint that change a file's extension to .php4, as the exploit chain requires an upload followed by a rename step. ↗
- ·The vulnerable regex blacklist in the elFinder connector blocks common PHP extensions but fails to include .php4; defenders should ensure their extension blacklist explicitly enumerates .php4 (and other alternate PHP extensions such as .php5, .phtml, .phar) rather than relying on a pattern match. ↗
- ·There is no patched release version available; the last known vulnerable commit is 4e40f8030a2e3267267db7ce03e0ff57270be6f5 on version 3.15. Defenders should track upstream commits rather than version numbers alone. ↗
- ·The exploit is unauthenticated and chains three distinct weaknesses (authentication bypass, extension blacklist bypass, path traversal); blocking any single layer in isolation may not be sufficient to prevent exploitation. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-67j3-r63p-59hf: Xerte Online Toolkits versions 3
ghsa_unreviewed·2026-04-22
CVE-2026-34415 [CRITICAL] CWE-184 GHSA-67j3-r63p-59hf: Xerte Online Toolkits versions 3
Xerte Online Toolkits versions 3.15 and earlier contain an incomplete input validation vulnerability in the elFinder connector endpoint that fails to block PHP-executable extensions .php4 due to an incorrect regex pattern. Unauthenticated attackers can exploit this flaw combined with authentication bypass and path traversal vulnerabilities to upload malicious PHP code, rename it with a .php4 extension, and execute arbitrary operating system commands on the server.
VulDB
thexerteproject xerteonlinetoolkits up to 3.13.0/3.14.0/3.15.0 elFinder Connector Endpoint incomplete blacklist (ID 1527 / EUVD-2026-25069)
vuldb·2026-04-22·CVSS 9.3
CVE-2026-34415 [CRITICAL] thexerteproject xerteonlinetoolkits up to 3.13.0/3.14.0/3.15.0 elFinder Connector Endpoint incomplete blacklist (ID 1527 / EUVD-2026-25069)
A vulnerability was found in thexerteproject xerteonlinetoolkits up to 3.13.0/3.14.0/3.15.0 and classified as critical. This affects an unknown function of the component elFinder Connector Endpoint. Such manipulation leads to incomplete blacklist.
This vulnerability is listed as CVE-2026-34415. The attack may be performed from remote. There is no available exploit.
It is suggested to upgrade the affected component.
No detection rules found.
https://github.com/bootstrapbool/xerteonlinetoolkits-rcehttps://github.com/thexerteproject/xerteonlinetoolkits/commit/02661be88cc369325ea01b508086bde7fbfec805https://github.com/thexerteproject/xerteonlinetoolkits/commit/17e4f945fe6a3400fa88c01eda18c1075ee4a212https://github.com/thexerteproject/xerteonlinetoolkits/commit/507d55c5e91bf9310b5b1c7fad8aebfef902ad23https://github.com/thexerteproject/xerteonlinetoolkits/issues/1527https://www.vulncheck.com/advisories/xerte-online-toolkits-file-upload-rce-via-elfinder-connectorhttps://xerte.org.uk/index.php/en/downloads-1/category/3-xerte-online-toolkitshttps://xerte.org.uk/xertetoolkits_3.15_ChangeLog.html
2026-04-22
Published