CVE-2026-34413

Source
https://cve.org/CVERecord?id=CVE-2026-34413
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-34413.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-34413
Published
2026-04-22T18:33:44.084Z
Modified
2026-07-15T01:49:22.475525947Z
Severity
  • 8.8 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N CVSS Calculator
Summary
Xerte Online Toolkits Missing Authentication via connector.php
Details

Xerte Online Toolkits versions 3.15 and earlier contain a missing authentication vulnerability in the elFinder connector endpoint at /editor/elfinder/php/connector.php where an HTTP redirect to unauthenticated callers does not call exit() or die(), allowing PHP execution to continue and process the full request server-side. Unauthenticated attackers can perform file operations on project media directories including creating directories, uploading files, renaming files, duplicating files, overwriting files, and deleting files, which can be chained with path traversal and extension blocklist vulnerabilities to achieve remote code execution and arbitrary file read.

Database specific
{
    "cna_assigner": "VulnCheck",
    "unresolved_ranges": [
        {
            "source": "AFFECTED_FIELD",
            "extracted_events": [
                {
                    "last_affected": "3.15.0"
                }
            ]
        }
    ],
    "cwe_ids": [
        "CWE-497"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/34xxx/CVE-2026-34413.json"
}
References

Affected packages

Git / github.com/thexerteproject/xerteonlinetoolkits

Affected ranges

Type
GIT
Repo
https://github.com/thexerteproject/xerteonlinetoolkits
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Fixed
Database specific
{
    "source": "REFERENCES"
}

Affected versions

2.*
2.0
2.1-beta
AI-v3.*
AI-v3.15
AI-v3.15.1
AI-v3.15.2
AI-v3.15.3
AI-v3.15.4
X-v3.*
X-v3.7.1
X-v3.7.10
X-v3.7.11
X-v3.7.12
X-v3.7.13
X-v3.7.14
X-v3.7.2
X-v3.7.3
X-v3.7.4
X-v3.7.5
X-v3.7.6
X-v3.7.7
X-v3.7.8
X-v3.7.9
Other
git
initial
vX
v.*
v.3.11.19
v.3.12.27
v.3.12.6
v.3.13.1
v2.*
v2.0
v2.1
v2.1-beta
v3.*
v3.0-beta
v3.1
v3.10
v3.10.1
v3.10.2
v3.10.3
v3.10.4
v3.10.5
v3.11
v3.11.1
v3.11.10
v3.11.11
v3.11.12
v3.11.13
v3.11.14
v3.11.15
v3.11.16
v3.11.17
v3.11.18
v3.11.2
v3.11.20
v3.11.21
v3.11.3
v3.11.4
v3.11.5
v3.11.6
v3.11.7
v3.11.8
v3.11.9
v3.12
v3.12.1
v3.12.10
v3.12.11
v3.12.12
v3.12.13
v3.12.14
v3.12.15
v3.12.16
v3.12.17
v3.12.18
v3.12.19
v3.12.2
v3.12.20
v3.12.21
v3.12.22
v3.12.23
v3.12.24
v3.12.25
v3.12.26
v3.12.28
v3.12.29
v3.12.3
v3.12.30
v3.12.31
v3.12.32
v3.12.33
v3.12.4
v3.12.5
v3.12.6
v3.12.7
v3.12.8
v3.12.9
v3.13
v3.13.2
v3.13.3
v3.13.4
v3.13.5
v3.13.6
v3.13.7
v3.13.8
v3.13.9
v3.14.0
v3.14.1
v3.14.2
v3.14.3
v3.14.4
v3.14.5
v3.4
v3.4.1
v3.4.2
v3.5
v3.5.1
v3.5.2
v3.5.3
v3.5.4
v3.5.5
v3.6
v3.6.1
v3.6.2
v3.6.3
v3.6.4
v3.8
v3.8.1
v3.8.2
v3.8.3
v3.8.4
v3.8.5
v3.9

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-34413.json"