CVE-2026-34413
Received Received - Intake
Missing Authentication in Xerte elFinder Allows Remote Code Execution

Publication date: 2026-04-22

Last updated on: 2026-04-24

Assigner: VulnCheck

Description
Xerte Online Toolkits versions 3.15 and earlier contain a missing authentication vulnerability in the elFinder connector endpoint at /editor/elfinder/php/connector.php where an HTTP redirect to unauthenticated callers does not call exit() or die(), allowing PHP execution to continue and process the full request server-side. Unauthenticated attackers can perform file operations on project media directories including creating directories, uploading files, renaming files, duplicating files, overwriting files, and deleting files, which can be chained with path traversal and extension blocklist vulnerabilities to achieve remote code execution and arbitrary file read.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-22
Last Modified
2026-04-24
Generated
2026-06-16
AI Q&A
2026-04-22
EPSS Evaluated
2026-06-14
NVD
CVE-2026-34413
EUVD
EUVD-2026-25067
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
xerte online_toolkits to 3.15 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-497 The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

Xerte Online Toolkits versions 3.15 and earlier have a missing authentication vulnerability in the elFinder connector endpoint located at /editor/elfinder/php/connector.php. When an unauthenticated user accesses this endpoint, the system attempts to redirect them but fails to stop further PHP execution by not calling exit() or die(). This allows the attacker to continue processing the request on the server side.

As a result, unauthenticated attackers can perform various file operations on project media directories, such as creating directories, uploading files, renaming files, duplicating files, overwriting files, and deleting files. These actions can be combined with other vulnerabilities like path traversal and extension blocklist bypasses to achieve remote code execution and arbitrary file reading.

Impact Analysis

This vulnerability can have severe impacts including unauthorized access and manipulation of files within the project media directories. Attackers can upload malicious files, delete or overwrite important files, and rename or duplicate files, potentially disrupting service or corrupting data.

More critically, by chaining this vulnerability with path traversal and extension blocklist bypasses, attackers may achieve remote code execution on the server, allowing them to run arbitrary code. This could lead to full system compromise, data breaches, and loss of control over the affected server.

Compliance Impact

The vulnerability allows unauthenticated attackers to perform unauthorized file operations including creating, uploading, renaming, duplicating, overwriting, and deleting files within project media directories. This can lead to exposure or manipulation of sensitive data.

Such unauthorized access and potential data exposure or alteration could negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive personal and health information against unauthorized access and modification.

However, the provided information does not explicitly discuss compliance impacts or regulatory considerations.

Detection Guidance

This vulnerability involves unauthenticated access to the elFinder connector endpoint at /editor/elfinder/php/connector.php, where an HTTP redirect does not terminate PHP execution, allowing unauthorized file operations.

To detect this vulnerability on your system, you can attempt to send unauthenticated HTTP requests to the vulnerable endpoint and observe if the server processes file operation commands despite issuing a redirect.

Example commands to test this behavior include using curl to send requests to the connector.php endpoint without authentication and checking for unexpected file operation responses or side effects.

  • curl -v "http://yourserver/editor/elfinder/php/connector.php?cmd=mkdir&target=l1_Lw&name=testdir"
  • curl -v "http://yourserver/editor/elfinder/php/connector.php?cmd=upload&target=l1_Lw" -F "upload[][email protected]"
  • curl -v "http://yourserver/editor/elfinder/php/connector.php?cmd=rename&target=l1_Lw&name=newname.txt"

If these commands succeed without authentication and the server does not properly terminate execution after redirecting, the system is vulnerable.

Mitigation Strategies

Immediate mitigation steps include applying the available patches for Xerte Online Toolkits versions 3.15, 3.14, and 3.13 that address this missing authentication vulnerability.

If patching is not immediately possible, restrict access to the /editor/elfinder/php/connector.php endpoint by implementing network-level controls such as firewall rules or web server access restrictions to prevent unauthenticated access.

Additionally, monitor server logs for suspicious unauthenticated requests to the connector endpoint and consider disabling or removing the elFinder connector if it is not required.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34413. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart