Thexerteproject Xerteonlinetoolkits vulnerabilities
4 known vulnerabilities affecting thexerteproject/xerteonlinetoolkits.
Total CVEs
4
CISA KEV
0
Public exploits
4
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH2MEDIUM1
Vulnerabilities
Page 1 of 1
CVE-2026-34415P1CRITICALCVSS 9.8PoC≤ 3.15.02026-04-22
CVE-2026-34415 [CRITICAL] CWE-184 CVE-2026-34415: Xerte Online Toolkits versions 3.15 and earlier contain an incomplete input validation vulnerability
Xerte Online Toolkits versions 3.15 and earlier contain an incomplete input validation vulnerability in the elFinder connector endpoint that fails to block PHP-executable extensions .php4 due to an incorrect regex pattern. Unauthenticated attackers can exploit this flaw combined with authentication bypass and path traversal vulnerabilities to uplo
nvd
CVE-2026-34413P2HIGHCVSS 8.6PoC≤ 3.15.02026-04-22
CVE-2026-34413 [HIGH] CWE-497 CVE-2026-34413: Xerte Online Toolkits versions 3.15 and earlier contain a missing authentication vulnerability in th
Xerte Online Toolkits versions 3.15 and earlier contain a missing authentication vulnerability in the elFinder connector endpoint at /editor/elfinder/php/connector.php where an HTTP redirect to unauthenticated callers does not call exit() or die(), allowing PHP execution to continue and process the full request server-side. Unauthenticated attackers c
nvd
CVE-2026-34414P3HIGHCVSS 7.1PoC≤ 3.15.02026-04-22
CVE-2026-34414 [HIGH] CWE-22 CVE-2026-34414: Xerte Online Toolkits versions 3.15 and earlier contain a relative path traversal vulnerability in t
Xerte Online Toolkits versions 3.15 and earlier contain a relative path traversal vulnerability in the elFinder connector endpoint at /editor/elfinder/php/connector.php where the name parameter in rename commands is not sanitized for path traversal sequences. Attackers can supply a name value containing directory traversal sequences to move files from
nvd
CVE-2026-41459P3MEDIUMCVSS 5.3PoCv3.15.0fixed in f063e942b4a9bf77a06829e844c2c70316bc45e82026-04-22
CVE-2026-41459 [MEDIUM] CWE-497 CVE-2026-41459: Xerte Online Toolkits versions 3.15 and earlier contain an information disclosure vulnerability that
Xerte Online Toolkits versions 3.15 and earlier contain an information disclosure vulnerability that allows unauthenticated attackers to retrieve the full server-side filesystem path of the application root. Attackers can send a GET request to the /setup page to access the exposed root_path value rendered in the HTML response, which enables exploita
nvd