CVE-2026-34415 CRITICAL

CVE-2026-34415: Xerte Online Toolkits File Upload RCE via elfinder Connector

Vendor Thexerteproject
Product xerteonlinetoolkits
Weakness CWE-184
Published April 22, 2026
Last update May 25, 2026

CVSS base score

9.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Xerte Online Toolkits versions 3.15 and earlier contain an incomplete input validation vulnerability in the elFinder connector endpoint that fails to block PHP-executable extensions .php4 due to an incorrect regex pattern. Unauthenticated attackers can exploit this flaw combined with authentication bypass and path traversal vulnerabilities to upload malicious PHP code, rename it with a .php4 extension, and execute arbitrary operating system commands on the server.

Key dates

02Disclosure timeline

April 22, 2026 CVE published
May 25, 2026 Record updated