PatchSiren

thexerteproject CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

MEDIUM thexerteproject CVE published 2026-04-22

CVE-2026-41459

CVE-2026-41459 is an information disclosure vulnerability in Xerte Online Toolkits versions 3.15 and earlier. The vulnerability allows unauthenticated attackers to retrieve the full server-side filesystem path of the application root by sending a GET request to the /setup page. This exposure can enable exploitation of path-dependent vulnerabilities such as relative path traversal. Users of Xerte Online To [truncated]

CRITICAL thexerteproject CVE published 2026-04-22

CVE-2026-34415

CVE-2026-34415 is a critical vulnerability in Xerte Online Toolkits versions 3.15 and earlier. The elFinder connector endpoint fails to block PHP-executable extensions .php4 due to an incorrect regex pattern, allowing unauthenticated attackers to upload malicious PHP code, rename it with a .php4 extension, and execute arbitrary operating system commands on the server. This vulnerability has significant op [truncated]

HIGH thexerteproject CVE published 2026-04-22

CVE-2026-34414

CVE-2026-34414 is a high-severity path traversal vulnerability in Xerte Online Toolkits versions 3.15 and earlier. The vulnerability exists in the elFinder connector endpoint at /editor/elfinder/php/connector.php, where the name parameter in rename commands is not sanitized for path traversal sequences. This allows attackers to supply a name value containing directory traversal sequences to move files fro [truncated]

HIGH thexerteproject CVE published 2026-04-22

CVE-2026-34413

CVE-2026-34413 is a high-severity vulnerability in Xerte Online Toolkits versions 3.15 and earlier. The vulnerability is caused by a missing authentication mechanism in the elFinder connector endpoint at /editor/elfinder/php/connector.php. This allows unauthenticated attackers to perform various file operations, which can be chained with path traversal and extension blocklist vulnerabilities to achieve re [truncated]