Input Validation Flaw in Xerte Online Toolkits by Xerte Project
CVE-2026-34415

9.3CRITICAL

Key Information:

Vendor

Thexerteproject

Status
Xerteonlinetoolkits
Vendor
CVE Published:
22 April 2026

What is CVE-2026-34415?

Xerte Online Toolkits versions 3.15 and earlier suffer from an input validation flaw in the elFinder connector endpoint. This vulnerability fails to restrict the upload of PHP-executable files with the .php4 extension, allowing unauthenticated attackers to exploit the system. By leveraging this flaw alongside authentication bypass and path traversal vulnerabilities, malicious actors could upload harmful PHP code, rename it to use the .php4 extension, and execute arbitrary commands on the server, thereby compromising its security. Immediate remediation is advised to secure affected installations.

Affected Version(s)

xerteonlinetoolkits 3.15.0

xerteonlinetoolkits 3.14.0

xerteonlinetoolkits 3.13.0

References

https://xerte.org.uk/xertetoolkits_3.15_ChangeLog.html
release-notes
https://xerte.org.uk/index.php/en/downloads-1/category/3-...
productpermissions-required
https://github.com/thexerteproject/xerteonlinetoolkits/is...
issue-tracking

CVSS V4

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

bootstrapbool
.