CVE-2026-34415

Source
https://cve.org/CVERecord?id=CVE-2026-34415
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-34415.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-34415
Published
2026-04-22T18:33:17.741Z
Modified
2026-07-08T08:12:50.078792644Z
Severity
  • 9.3 (Critical) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
Xerte Online Toolkits File Upload RCE via elfinder Connector
Details

Xerte Online Toolkits versions 3.15 and earlier contain an incomplete input validation vulnerability in the elFinder connector endpoint that fails to block PHP-executable extensions .php4 due to an incorrect regex pattern. Unauthenticated attackers can exploit this flaw combined with authentication bypass and path traversal vulnerabilities to upload malicious PHP code, rename it with a .php4 extension, and execute arbitrary operating system commands on the server.

Database specific
{
    "cna_assigner": "VulnCheck",
    "cwe_ids": [
        "CWE-184"
    ],
    "unresolved_ranges": [
        {
            "extracted_events": [
                {
                    "last_affected": "3.15.0"
                }
            ],
            "source": "AFFECTED_FIELD"
        }
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/34xxx/CVE-2026-34415.json"
}
References

Affected packages

Git / github.com/thexerteproject/xerteonlinetoolkits

Affected ranges

Type
GIT
Repo
https://github.com/thexerteproject/xerteonlinetoolkits
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Fixed
Database specific
{
    "source": "REFERENCES"
}

Affected versions

2.*
2.0
2.1-beta
AI-v3.*
AI-v3.15
AI-v3.15.1
AI-v3.15.2
AI-v3.15.3
AI-v3.15.4
X-v3.*
X-v3.7.1
X-v3.7.10
X-v3.7.11
X-v3.7.12
X-v3.7.13
X-v3.7.14
X-v3.7.2
X-v3.7.3
X-v3.7.4
X-v3.7.5
X-v3.7.6
X-v3.7.7
X-v3.7.8
X-v3.7.9
Other
git
initial
vX
v.*
v.3.11.19
v.3.12.27
v.3.12.6
v.3.13.1
v2.*
v2.0
v2.1
v2.1-beta
v3.*
v3.0-beta
v3.1
v3.10
v3.10.1
v3.10.2
v3.10.3
v3.10.4
v3.10.5
v3.11
v3.11.1
v3.11.10
v3.11.11
v3.11.12
v3.11.13
v3.11.14
v3.11.15
v3.11.16
v3.11.17
v3.11.18
v3.11.2
v3.11.20
v3.11.21
v3.11.3
v3.11.4
v3.11.5
v3.11.6
v3.11.7
v3.11.8
v3.11.9
v3.12
v3.12.1
v3.12.10
v3.12.11
v3.12.12
v3.12.13
v3.12.14
v3.12.15
v3.12.16
v3.12.17
v3.12.18
v3.12.19
v3.12.2
v3.12.20
v3.12.21
v3.12.22
v3.12.23
v3.12.24
v3.12.25
v3.12.26
v3.12.28
v3.12.29
v3.12.3
v3.12.30
v3.12.31
v3.12.32
v3.12.33
v3.12.4
v3.12.5
v3.12.6
v3.12.7
v3.12.8
v3.12.9
v3.13
v3.13.2
v3.13.3
v3.13.4
v3.13.5
v3.13.6
v3.13.7
v3.13.8
v3.13.9
v3.14.0
v3.14.1
v3.14.2
v3.14.3
v3.14.4
v3.14.5
v3.4
v3.4.1
v3.4.2
v3.5
v3.5.1
v3.5.2
v3.5.3
v3.5.4
v3.5.5
v3.6
v3.6.1
v3.6.2
v3.6.3
v3.6.4
v3.8
v3.8.1
v3.8.2
v3.8.3
v3.8.4
v3.8.5
v3.9

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-34415.json"