CVE-2026-34415 - Vulnerability Analysis
CriticalCVSS: 9.8Last Updated: April 22, 2026
Xerte Online Toolkits - Command Injection
Overview
Xerte Online Toolkits <= 3.15 contains a command injection caused by incomplete input validation in elFinder connector allowing .php4 extensions, letting unauthenticated attackers execute arbitrary OS commands via upload and rename, exploit requires no authentication.
Severity & Score
Impact
Unauthenticated attackers can execute arbitrary operating system commands, potentially leading to full server compromise.
Mitigation
Update to the latest version beyond 3.15.
References
- https://github.com/thexerteproject/xerteonlinetoolkits/commit/02661be88cc369325ea01b508086bde7fbfec805
- https://github.com/thexerteproject/xerteonlinetoolkits/commit/17e4f945fe6a3400fa88c01eda18c1075ee4a212
- https://github.com/thexerteproject/xerteonlinetoolkits/commit/507d55c5e91bf9310b5b1c7fad8aebfef902ad23
- https://github.com/thexerteproject/xerteonlinetoolkits/issues/1527
- https://www.vulncheck.com/advisories/xerte-online-toolkits-file-upload-rce-via-elfinder-connector
- https://xerte.org.uk/index.php/en/downloads-1/category/3-xerte-online-toolkits
- https://xerte.org.uk/xertetoolkits_3.15_ChangeLog.html
Social Media Activity(1 post)
⚠️ CRITICAL: xerteonlinetoolkits ≤3.15 has incomplete input validation in elFinder — .php4 files can be uploaded & executed, enabling unauth RCE. Restrict endpoint, monitor uploads, apply custom filters. Patch status unknown. CVE-2026-34415 https://radar.offseq.com/threat/cve-2026-34415-cwe-184-incomplete-list-of-disallow-f774ae94 #OffSeq #Vuln #RCE
View original postRelated Resources
Details
- CVE ID
- CVE-2026-34415
- Severity
- Critical
- CVSS Score
- 9.8
- Type
- command_injection
- Status
- rejected
- EPSS
- 18.9%
- Social Posts
- 1
CWE
- CWE-184
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H