Description
Xerte Online Toolkits versions 3.15 and earlier contain a relative path traversal vulnerability in the elFinder connector endpoint at /editor/elfinder/php/connector.php where the name parameter in rename commands is not sanitized for path traversal sequences. Attackers can supply a name value containing directory traversal sequences to move files from project media directories to arbitrary locations on the filesystem, potentially overwriting application files, achieving stored cross-site scripting, or combining with other vulnerabilities to achieve unauthenticated remote code execution by moving PHP code files to the application root.
Published: 2026-04-22
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The vulnerability is a relative path traversal flaw in the elFinder connector of Xerte Online Toolkits. Specifically, the "name" parameter in rename commands is not validated for traversal sequences, allowing an attacker to specify paths that move files from project media directories to arbitrary locations. This defect enables an attacker to overwrite application files, embed stored cross‑site scripting payloads, or, if combined with other weaknesses, to place PHP code in the application root and achieve unauthenticated remote code execution. The weakness is classified as CWE‑22, a classic path traversal issue.

Affected Systems

The affected product is Xerte Online Toolkits from The Xerte Project. Versions 3.15 and earlier are vulnerable; all later releases are considered safe if updated accordingly.

Risk and Exploitability

The CVSS score of 7.1 reflects a moderate severity. No EPSS score is publicly available, and the issue is not listed in the CISA KEV catalog, suggesting no known widespread exploitation at this time. Potential attackers can exploit the flaw remotely by sending crafted HTTP requests to /editor/elfinder/php/connector.php, leveraging the unsanitized "name" parameter to write arbitrary files and ultimately compromise the server if PHP files are dropped into the web root.

Generated by OpenCVE AI on April 27, 2026 at 08:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Xerte Online Toolkits to the latest stable release that includes the path‑traversal fix, or apply the patch commits linked in the advisory references.
  • Configure the web‑server or application to require authentication for the elFinder connector endpoint, ensuring only authorized users can invoke rename operations.
  • Verify that file upload directories are tightly permission‑restricted and that the application does not allow PHP files to be stored in the web root; adjust directory layout or filesystem controls to prevent accidental code execution.

Generated by OpenCVE AI on April 27, 2026 at 08:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 27 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Thexerteproject
Thexerteproject xerteonlinetoolkits
Vendors & Products Thexerteproject
Thexerteproject xerteonlinetoolkits

Fri, 24 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
References

Wed, 22 Apr 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
Description Xerte Online Toolkits versions 3.15 and earlier contain a relative path traversal vulnerability in the elFinder connector endpoint at /editor/elfinder/php/connector.php where the name parameter in rename commands is not sanitized for path traversal sequences. Attackers can supply a name value containing directory traversal sequences to move files from project media directories to arbitrary locations on the filesystem, potentially overwriting application files, achieving stored cross-site scripting, or combining with other vulnerabilities to achieve unauthenticated remote code execution by moving PHP code files to the application root.
Title Xerte Online Toolkits Path Traversal via connector.php
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Thexerteproject Xerteonlinetoolkits
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-29T13:46:42.483Z

Reserved: 2026-03-27T15:24:06.752Z

Link: CVE-2026-34414

cve-icon Vulnrichment

Updated: 2026-04-22T18:53:42.892Z

cve-icon NVD

Status : Deferred

Published: 2026-04-22T19:17:04.033

Modified: 2026-04-24T20:16:25.203

Link: CVE-2026-34414

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T19:53:16Z

Weaknesses