Vulnerability Description
Xerte Online Toolkits versions 3.15 and earlier contain an incomplete input validation vulnerability in the elFinder connector endpoint that fails to block PHP-executable extensions .php4 due to an incorrect regex pattern. Unauthenticated attackers can exploit this flaw combined with authentication bypass and path traversal vulnerabilities to upload malicious PHP code, rename it with a .php4 extension, and execute arbitrary operating system commands on the server.
CVSS Score
CRITICAL
Related Weaknesses (CWE)
References
- https://github.com/bootstrapbool/xerteonlinetoolkits-rce
- https://github.com/thexerteproject/xerteonlinetoolkits/commit/02661be88cc369325e
- https://github.com/thexerteproject/xerteonlinetoolkits/commit/17e4f945fe6a3400fa
- https://github.com/thexerteproject/xerteonlinetoolkits/commit/507d55c5e91bf9310b
- https://github.com/thexerteproject/xerteonlinetoolkits/issues/1527
- https://www.vulncheck.com/advisories/xerte-online-toolkits-file-upload-rce-via-e
- https://xerte.org.uk/index.php/en/downloads-1/category/3-xerte-online-toolkits
- https://xerte.org.uk/xertetoolkits_3.15_ChangeLog.html
FAQ
What is CVE-2026-34415?
CVE-2026-34415 is a vulnerability with a CVSS score of 9.8 (CRITICAL). Xerte Online Toolkits versions 3.15 and earlier contain an incomplete input validation vulnerability in the elFinder connector endpoint that fails to block PHP-executable extensions .php4 due to an in...
How severe is CVE-2026-34415?
CVE-2026-34415 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2026-34415?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.