Xerte Online Toolkits versions 3.15 and earlier expose an incomplete input validation flaw in the elFinder connector endpoint. The flaw originates from an incorrect regular‑expression that fails to block PHP‑executable extensions such as .php4. An attacker can exploit this oversight by uploading a PHP file, renaming it with a .php4 extension, then accessing it to execute arbitrary operating‑system commands. This flaw is further amplified when combined with existing authentication bypass and path‑traversal weaknesses, allowing the attacker to perform the upload unauthenticated. The weakness corresponds to CWE‑184, representing the erroneous use of a regular expression for input validation.

The affected publisher is the xerteproject’s Xerte Online Toolkits. All releases with a version number of 3.15 or earlier are vulnerable, including any derivative or locally modified installations that have not applied the fix. Users running these versions should verify their current build and confirm whether it matches or falls below 3.15.

The CVSS score of 9.3 indicates a high severity level. While an EPSS score is not available, the combination of unauthenticated upload capability, exploitable file naming and a path traversal or authentication bypass route provides a clear and straightforward attack vector for an adversary. The vulnerability is not listed in the CISA KEV catalog, suggesting there are no known mass‑distribution exploits yet, but the potential for silent, remote command execution in a server environment makes the risk significant. Implementing an update or mitigation should be treated as a high‑priority action.