Xerte Online Toolkits versions 3.15 and earlier contain a critical path traversal vulnerability in the elFinder connector endpoint. The vulnerability exists in /editor/elfinder/php/connector.php where the name parameter in rename commands is not properly sanitized. Attackers can exploit this by supplying directory traversal sequences to move files from project media directories to arbitrary filesystem locations. This can lead to overwriting application files, achieving stored cross-site scripting, or combining with other vulnerabilities for unauthenticated remote code execution. The vulnerability allows moving PHP code files to the application root, significantly increasing the attack surface and potential for system compromise.