VYPR

Xerteonlinetoolkits

by Thexerteproject

Source repositories

CVEs (4)

  • CVE-2026-34415CriApr 22, 2026
    risk 0.57cvss 9.8epss 0.04

    Xerte Online Toolkits versions 3.15 and earlier contain an incomplete input validation vulnerability in the elFinder connector endpoint that fails to block PHP-executable extensions .php4 due to an incorrect regex pattern. Unauthenticated attackers can exploit this flaw combined…

  • CVE-2026-34413HigApr 22, 2026
    risk 0.49cvss 8.6epss 0.03

    Xerte Online Toolkits versions 3.15 and earlier contain a missing authentication vulnerability in the elFinder connector endpoint at /editor/elfinder/php/connector.php where an HTTP redirect to unauthenticated callers does not call exit() or die(), allowing PHP execution to…

  • CVE-2026-34414HigApr 22, 2026
    risk 0.39cvss 7.1epss 0.03

    Xerte Online Toolkits versions 3.15 and earlier contain a relative path traversal vulnerability in the elFinder connector endpoint at /editor/elfinder/php/connector.php where the name parameter in rename commands is not sanitized for path traversal sequences. Attackers can…

  • CVE-2026-41459MedApr 22, 2026
    risk 0.27cvss 5.3epss 0.01

    Xerte Online Toolkits versions 3.15 and earlier contain an information disclosure vulnerability that allows unauthenticated attackers to retrieve the full server-side filesystem path of the application root. Attackers can send a GET request to the /setup page to access the…