VYPR
Vendor

Xerte

Products
2
CVEs
9
Across products
9
Status
Private

Products

2

Recent CVEs

9
  • CVE-2026-32985CriMar 20, 2026
    risk 0.72cvss 9.8epss 0.01

    Xerte Online Toolkits versions 3.14 and earlier contain an unauthenticated arbitrary file upload vulnerability in the template import functionality that allows remote attackers to execute arbitrary code by uploading a crafted ZIP archive containing malicious PHP payloads.…

  • CVE-2026-34415CriApr 22, 2026
    risk 0.57cvss 9.8epss 0.04

    Xerte Online Toolkits versions 3.15 and earlier contain an incomplete input validation vulnerability in the elFinder connector endpoint that fails to block PHP-executable extensions .php4 due to an incorrect regex pattern. Unauthenticated attackers can exploit this flaw combined…

  • CVE-2026-34413HigApr 22, 2026
    risk 0.49cvss 8.6epss 0.03

    Xerte Online Toolkits versions 3.15 and earlier contain a missing authentication vulnerability in the elFinder connector endpoint at /editor/elfinder/php/connector.php where an HTTP redirect to unauthenticated callers does not call exit() or die(), allowing PHP execution to…

  • CVE-2026-34414HigApr 22, 2026
    risk 0.39cvss 7.1epss 0.03

    Xerte Online Toolkits versions 3.15 and earlier contain a relative path traversal vulnerability in the elFinder connector endpoint at /editor/elfinder/php/connector.php where the name parameter in rename commands is not sanitized for path traversal sequences. Attackers can…

  • CVE-2026-41459MedApr 22, 2026
    risk 0.27cvss 5.3epss 0.01

    Xerte Online Toolkits versions 3.15 and earlier contain an information disclosure vulnerability that allows unauthenticated attackers to retrieve the full server-side filesystem path of the application root. Attackers can send a GET request to the /setup page to access the…

  • CVE-2021-44665MedFeb 24, 2022
    risk 0.04cvss 6.5epss 0.08

    A Directory Traversal vulnerability exists in the Xerte Project Xerte through 3.10.3 when downloading a project file via download.php.

  • CVE-2021-44664HigFeb 24, 2022
    risk 0.04cvss 8.8epss 0.13

    An Authenticated Remote Code Exection (RCE) vulnerability exists in Xerte through 3.9 in website_code/php/import/fileupload.php by uploading a maliciously crafted PHP file though the project interface disguised as a language file to bypasses the upload filters. Attackers can…

  • CVE-2021-44663CriFeb 24, 2022
    risk 0.00cvss 9.8epss 0.04

    A Remote Code Execution (RCE) vulnerability exists in the Xerte Project Xerte through 3.8.4 via a crafted php file through elfinder in connetor.php.

  • CVE-2021-44662MedFeb 24, 2022
    risk 0.00cvss 6.1epss 0.01

    A Site Scripting (XSS) vulnerability exists in the Xerte Project Xerte through 3.8.4 via the link parameter in print.php.