PatchSiren cyber security CVE debrief
CVE-2026-34414 thexerteproject CVE debrief
CVE-2026-34414 is a high-severity path traversal vulnerability in Xerte Online Toolkits versions 3.15 and earlier. The vulnerability exists in the elFinder connector endpoint at /editor/elfinder/php/connector.php, where the name parameter in rename commands is not sanitized for path traversal sequences. This allows attackers to supply a name value containing directory traversal sequences to move files from project media directories to arbitrary locations on the filesystem, potentially overwriting application files, achieving stored cross-site scripting, or combining with other vulnerabilities to achieve unauthenticated remote code execution by moving PHP code files to the application root.
- Vendor
- thexerteproject
- Product
- xerteonlinetoolkits
- CVSS
- HIGH 7.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-22
- Original CVE updated
- 2026-07-14
- Advisory published
- 2026-04-22
- Advisory updated
- 2026-07-14
Who should care
Administrators and users of Xerte Online Toolkits versions 3.15 and earlier should be aware of this vulnerability and take immediate action to mitigate the risk. This vulnerability has a high CVSS score of 7.1, indicating a significant threat to affected systems.
Technical summary
The vulnerability exists in the elFinder connector endpoint at /editor/elfinder/php/connector.php, where the name parameter in rename commands is not sanitized for path traversal sequences. This allows attackers to supply a name value containing directory traversal sequences to move files from project media directories to arbitrary locations on the filesystem, potentially overwriting application files, achieving stored cross-site scripting, or combining with other vulnerabilities to achieve unauthenticated remote code execution by moving PHP code files to the application root. The CVSS vector for this vulnerability is CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.
Defensive priority
High
Recommended defensive actions
- Immediately update Xerte Online Toolkits to a version that fixes the path traversal vulnerability in the elFinder connector endpoint.
- Restrict access to the /editor/elfinder/php/connector.php endpoint to only trusted users and networks.
- Monitor the system for suspicious file movements and modifications.
- Implement additional security controls, such as web application firewalls and intrusion detection systems, to detect and prevent exploitation attempts.
- Conduct regular security audits and vulnerability assessments to identify and address potential vulnerabilities.
Evidence notes
The CVE record was published on 2026-04-22T19:17:04.033Z and has not been modified since then. The NVD entry is currently Deferred. The vulnerability was reported by Vulncheck and has been publicly disclosed.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-04-22T19:17:04.033Z and has not been modified since then. The NVD entry is currently Deferred.