Xerte Online Toolkits versions 3.15 and earlier contain a missing authentication vulnerability in the elFinder connector endpoint at /editor/elfinder/php/connec…

Published:

21 april 2026 om 22:00:00

Alert date:

22 april 2026 om 20:02:14

Source:

nvd.nist.gov

Web Technologies, Enterprise Applications

Xerte Online Toolkits versions 3.15 and earlier contain a critical missing authentication vulnerability in the elFinder connector endpoint. The vulnerability allows unauthenticated attackers to perform file operations including creating, uploading, renaming, duplicating, overwriting, and deleting files in project media directories. This can be chained with path traversal and extension blocklist vulnerabilities to achieve remote code execution and arbitrary file read. The issue stems from improper handling of HTTP redirects where PHP execution continues after redirecting unauthenticated callers.

Technical details

Mitigation steps:

Affected products:

Xerte Online Toolkits

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-34413
https://github.com/thexerteproject/xerteonlinetoolkits/commit/02661be88cc369325ea01b508086bde7fbfec805
https://github.com/thexerteproject/xerteonlinetoolkits/commit/17e4f945fe6a3400fa88c01eda18c1075ee4a212
https://github.com/thexerteproject/xerteonlinetoolkits/commit/507d55c5e91bf9310b5b1c7fad8aebfef902ad23
https://github.com/thexerteproject/xerteonlinetoolkits/issues/1527
https://www.vulncheck.com/advisories/xerte-online-toolkits-missing-authentication-via-connector-php
https://xerte.org.uk/index.php/en/downloads-1/category/3-xerte-online-toolkits
https://xerte.org.uk/xertetoolkits_3.15_ChangeLog.html

Related CVE's:

CVE-2026-34413

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.