Path Traversal Vulnerability in Xerte Online Toolkits by Xerte Project
CVE-2026-34414

7.1HIGH

Key Information:

Vendor

Thexerteproject

Status
Xerteonlinetoolkits
Vendor
CVE Published:
22 April 2026

What is CVE-2026-34414?

Xerte Online Toolkits versions 3.15 and earlier are affected by a path traversal vulnerability in the elFinder connector, specifically located in the endpoint at /editor/elfinder/php/connector.php. This vulnerability arises because the 'name' parameter in rename commands is not adequately sanitized, allowing attackers to insert directory traversal sequences. Consequently, malicious users could relocate files from project media directories to any location on the filesystem, which poses significant risks such as overwriting application files, facilitating stored cross-site scripting, or exploiting other vulnerabilities to execute arbitrary PHP code remotely.

Affected Version(s)

xerteonlinetoolkits 3.15.0

xerteonlinetoolkits 3.14.0

xerteonlinetoolkits 3.13.0

References

https://xerte.org.uk/xertetoolkits_3.15_ChangeLog.html
release-notes
https://xerte.org.uk/index.php/en/downloads-1/category/3-...
productpermissions-required
https://github.com/thexerteproject/xerteonlinetoolkits/is...
issue-tracking

CVSS V4

Score:
7.1
Severity:
HIGH
Confidentiality:
Low
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

bootstrapbool
.