Xerte Online Toolkits versions 3.15 and earlier contain a missing authentication vulnerability in the elFinder connector endpoint at /editor/elfinder/php/connec…

Published:

21 april 2026 om 22:00:00

Alert date:

22 april 2026 om 22:11:22

Source:

nvd.nist.gov

Web Technologies, Enterprise Applications

Xerte Online Toolkits versions 3.15 and earlier contain a critical missing authentication vulnerability in the elFinder connector endpoint. The vulnerability occurs when HTTP redirects to unauthenticated users fail to call exit() or die(), allowing PHP execution to continue processing requests server-side. Unauthenticated attackers can perform extensive file operations including creating, uploading, renaming, duplicating, overwriting, and deleting files in project media directories. This vulnerability can be chained with path traversal and extension blocklist bypasses to achieve remote code execution and arbitrary file read capabilities, making it a severe security risk for affected installations.

Technical details

Mitigation steps:

Affected products:

Xerte Online Toolkits

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-34413
https://github.com/thexerteproject/xerteonlinetoolkits/commit/02661be88cc369325ea01b508086bde7fbfec805
https://github.com/thexerteproject/xerteonlinetoolkits/commit/17e4f945fe6a3400fa88c01eda18c1075ee4a212
https://github.com/thexerteproject/xerteonlinetoolkits/commit/507d55c5e91bf9310b5b1c7fad8aebfef902ad23
https://github.com/thexerteproject/xerteonlinetoolkits/issues/1527
https://www.vulncheck.com/advisories/xerte-online-toolkits-missing-authentication-via-connector-php
https://xerte.org.uk/index.php/en/downloads-1/category/3-xerte-online-toolkits
https://xerte.org.uk/xertetoolkits_3.15_ChangeLog.html

Related CVE's:

CVE-2026-34413

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.