Critical severity9.8NVD Advisory· Published Apr 22, 2026· Updated Apr 24, 2026
CVE-2026-34415
CVE-2026-34415
Description
Xerte Online Toolkits versions 3.15 and earlier contain an incomplete input validation vulnerability in the elFinder connector endpoint that fails to block PHP-executable extensions .php4 due to an incorrect regex pattern. Unauthenticated attackers can exploit this flaw combined with authentication bypass and path traversal vulnerabilities to upload malicious PHP code, rename it with a .php4 extension, and execute arbitrary operating system commands on the server.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- Range: <=3.15
Patches
Vulnerability mechanics
References
7- github.com/thexerteproject/xerteonlinetoolkits/commit/02661be88cc369325ea01b508086bde7fbfec805nvd
- github.com/thexerteproject/xerteonlinetoolkits/commit/17e4f945fe6a3400fa88c01eda18c1075ee4a212nvd
- github.com/thexerteproject/xerteonlinetoolkits/commit/507d55c5e91bf9310b5b1c7fad8aebfef902ad23nvd
- github.com/thexerteproject/xerteonlinetoolkits/issues/1527nvd
- www.vulncheck.com/advisories/xerte-online-toolkits-file-upload-rce-via-elfinder-connectornvd
- xerte.org.uk/index.php/en/downloads-1/category/3-xerte-online-toolkitsnvd
- xerte.org.uk/xertetoolkits_3.15_ChangeLog.htmlnvd
News mentions
1- Weekly Metasploit Update: NTLM Relay Priv Esc, MCP Server Integration, Paperclip AI RCE Chain, and moreRapid7 Blog · Jun 19, 2026