CVE-2026-34415 | THREATINT

Description

Xerte Online Toolkits versions 3.15 and earlier contain an incomplete input validation vulnerability in the elFinder connector endpoint that fails to block PHP-executable extensions .php4 due to an incorrect regex pattern. Unauthenticated attackers can exploit this flaw combined with authentication bypass and path traversal vulnerabilities to upload malicious PHP code, rename it with a .php4 extension, and execute arbitrary operating system commands on the server.

PUBLISHED Reserved 2026-03-27 | Published 2026-04-22 | Updated 2026-04-24 | Assigner VulnCheck

CRITICAL: 9.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CRITICAL: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-184 Incomplete List of Disallowed Inputs

Product status

Default status

unaffected

3.15.0 (semver)

affected

3.14.0 (semver)

affected

3.13.0 (semver)

affected

Any version before 02661be88cc369325ea01b508086bde7fbfec805

affected

Any version before 17e4f945fe6a3400fa88c01eda18c1075ee4a212

affected

Any version before 507d55c5e91bf9310b5b1c7fad8aebfef902ad23

affected

Credits

bootstrapbool finder

References

github.com/bootstrapbool/xerteonlinetoolkits-rce technical-description exploit

xerte.org.uk/xertetoolkits_3.15_ChangeLog.html release-notes

xerte.org.uk/...downloads-1/category/3-xerte-online-toolkits product permissions-required

github.com/thexerteproject/xerteonlinetoolkits/issues/1527 issue-tracking

github.com/...ommit/02661be88cc369325ea01b508086bde7fbfec805 patch

github.com/...ommit/17e4f945fe6a3400fa88c01eda18c1075ee4a212 patch

github.com/...ommit/507d55c5e91bf9310b5b1c7fad8aebfef902ad23 patch

www.vulncheck.com/...-file-upload-rce-via-elfinder-connector third-party-advisory

cve.org (CVE-2026-34415)

nvd.nist.gov (CVE-2026-34415)

Download JSON

help @ threatint.eu