PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-34414 thexerteproject CVE debrief

CVE-2026-34414 is a high-severity path traversal vulnerability in Xerte Online Toolkits versions 3.15 and earlier. The vulnerability exists in the elFinder connector endpoint at /editor/elfinder/php/connector.php, where the name parameter in rename commands is not sanitized for path traversal sequences. This allows attackers to supply a name value containing directory traversal sequences to move files from project media directories to arbitrary locations on the filesystem, potentially overwriting application files, achieving stored cross-site scripting, or combining with other vulnerabilities to achieve unauthenticated remote code execution by moving PHP code files to the application root.

Vendor
thexerteproject
Product
xerteonlinetoolkits
CVSS
HIGH 7.1
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-22
Original CVE updated
2026-07-14
Advisory published
2026-04-22
Advisory updated
2026-07-14

Who should care

Administrators and users of Xerte Online Toolkits versions 3.15 and earlier should be aware of this vulnerability and take immediate action to mitigate the risk. This vulnerability has a high CVSS score of 7.1, indicating a significant threat to affected systems.

Technical summary

The vulnerability exists in the elFinder connector endpoint at /editor/elfinder/php/connector.php, where the name parameter in rename commands is not sanitized for path traversal sequences. This allows attackers to supply a name value containing directory traversal sequences to move files from project media directories to arbitrary locations on the filesystem, potentially overwriting application files, achieving stored cross-site scripting, or combining with other vulnerabilities to achieve unauthenticated remote code execution by moving PHP code files to the application root. The CVSS vector for this vulnerability is CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.

Defensive priority

High

Recommended defensive actions

  • Immediately update Xerte Online Toolkits to a version that fixes the path traversal vulnerability in the elFinder connector endpoint.
  • Restrict access to the /editor/elfinder/php/connector.php endpoint to only trusted users and networks.
  • Monitor the system for suspicious file movements and modifications.
  • Implement additional security controls, such as web application firewalls and intrusion detection systems, to detect and prevent exploitation attempts.
  • Conduct regular security audits and vulnerability assessments to identify and address potential vulnerabilities.

Evidence notes

The CVE record was published on 2026-04-22T19:17:04.033Z and has not been modified since then. The NVD entry is currently Deferred. The vulnerability was reported by Vulncheck and has been publicly disclosed.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-04-22T19:17:04.033Z and has not been modified since then. The NVD entry is currently Deferred.