Missing Authentication Flaw in Xerte Online Toolkits from Xerte Project
CVE-2026-34413

8.8HIGH

Key Information:

Vendor

Thexerteproject

Status
Xerteonlinetoolkits
Vendor
CVE Published:
22 April 2026

What is CVE-2026-34413?

Xerte Online Toolkits versions 3.15 and earlier are susceptible to a missing authentication vulnerability in the elFinder connector endpoint located at /editor/elfinder/php/connector.php. This flaw allows unauthenticated attackers to execute HTTP redirects that do not terminate the request, leading to unauthorized access to file operations within project media directories. Attackers can manipulate the system to create, upload, rename, duplicate, and delete files, potentially chaining these actions with path traversal and extension blocklist weaknesses to gain remote code execution and read sensitive files.

Affected Version(s)

xerteonlinetoolkits 3.15.0

xerteonlinetoolkits 3.14.0

xerteonlinetoolkits 3.13.0

References

https://xerte.org.uk/xertetoolkits_3.15_ChangeLog.html
release-notes
https://xerte.org.uk/index.php/en/downloads-1/category/3-...
productpermissions-required
https://github.com/thexerteproject/xerteonlinetoolkits/is...
issue-tracking

CVSS V4

Score:
8.8
Severity:
HIGH
Confidentiality:
Low
Integrity:
High
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

bootstrapbool
.