Critical severity9.8NVD Advisory· Published Apr 22, 2026· Updated Apr 24, 2026

CVE-2026-34415

Description

Xerte Online Toolkits versions 3.15 and earlier contain an incomplete input validation vulnerability in the elFinder connector endpoint that fails to block PHP-executable extensions .php4 due to an incorrect regex pattern. Unauthenticated attackers can exploit this flaw combined with authentication bypass and path traversal vulnerabilities to upload malicious PHP code, rename it with a .php4 extension, and execute arbitrary operating system commands on the server.

Affected products

Thexerteproject/Xerteonlinetoolkitsreferences

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/thexerteproject/xerteonlinetoolkits/commit/02661be88cc369325ea01b508086bde7fbfec805nvd
github.com/thexerteproject/xerteonlinetoolkits/commit/17e4f945fe6a3400fa88c01eda18c1075ee4a212nvd
github.com/thexerteproject/xerteonlinetoolkits/commit/507d55c5e91bf9310b5b1c7fad8aebfef902ad23nvd
github.com/thexerteproject/xerteonlinetoolkits/issues/1527nvd
www.vulncheck.com/advisories/xerte-online-toolkits-file-upload-rce-via-elfinder-connectornvd
xerte.org.uk/index.php/en/downloads-1/category/3-xerte-online-toolkitsnvd
xerte.org.uk/xertetoolkits_3.15_ChangeLog.htmlnvd

News mentions

No linked articles in our index yet.

cvss	0.637
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000