CVE-2026-34414
Received Received - Intake
Path Traversal in Xerte Online Toolkits Enables Remote Code Execution

Publication date: 2026-04-22

Last updated on: 2026-04-24

Assigner: VulnCheck

Description
Xerte Online Toolkits versions 3.15 and earlier contain a relative path traversal vulnerability in the elFinder connector endpoint at /editor/elfinder/php/connector.php where the name parameter in rename commands is not sanitized for path traversal sequences. Attackers can supply a name value containing directory traversal sequences to move files from project media directories to arbitrary locations on the filesystem, potentially overwriting application files, achieving stored cross-site scripting, or combining with other vulnerabilities to achieve unauthenticated remote code execution by moving PHP code files to the application root.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-22
Last Modified
2026-04-24
Generated
2026-06-16
AI Q&A
2026-04-22
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34414
EUVD
EUVD-2026-25068
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
xerte_online_toolkits xerte_online_toolkits to 3.15 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-22 The product uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the product does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Xerte Online Toolkits versions 3.15 and earlier. It is a relative path traversal issue in the elFinder connector endpoint located at /editor/elfinder/php/connector.php. The problem arises because the 'name' parameter in rename commands is not properly sanitized for path traversal sequences.

Attackers can exploit this by supplying a 'name' value containing directory traversal sequences, which allows them to move files from project media directories to arbitrary locations on the filesystem.

This can lead to overwriting application files, enabling stored cross-site scripting attacks, or, when combined with other vulnerabilities, achieving unauthenticated remote code execution by moving PHP code files to the application root.

Impact Analysis

This vulnerability can have serious impacts including unauthorized modification of files on the server by moving files to arbitrary locations.

It can allow attackers to overwrite important application files, which may disrupt the normal functioning of the application.

Additionally, it can enable stored cross-site scripting attacks, potentially compromising user data and session integrity.

In the worst case, when combined with other vulnerabilities, it can lead to unauthenticated remote code execution, allowing attackers to run arbitrary code on the server.

Compliance Impact

The vulnerability in Xerte Online Toolkits allows attackers to perform directory traversal, potentially overwriting application files, enabling stored cross-site scripting, or achieving unauthenticated remote code execution. Such unauthorized access and manipulation of files could lead to exposure or alteration of sensitive data.

This kind of security flaw can impact compliance with standards like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and modification. Exploitation of this vulnerability could result in data breaches or unauthorized data processing, thereby violating these regulations.

However, the provided context and resources do not explicitly discuss compliance implications or how this vulnerability directly affects adherence to such standards.

Detection Guidance

The vulnerability involves exploitation of the elFinder connector endpoint at /editor/elfinder/php/connector.php by sending rename commands with a crafted "name" parameter containing directory traversal sequences. Detection can focus on monitoring HTTP requests to this endpoint for suspicious rename commands that include path traversal patterns such as '..' or encoded equivalents.

Suggested detection methods include inspecting web server logs or using network monitoring tools to filter requests targeting /editor/elfinder/php/connector.php with parameters containing '..' or other traversal sequences in the "name" parameter.

Example commands for detection might include:

  • Using grep on web server access logs to find suspicious rename commands: grep -i 'connector.php' access.log | grep -E 'rename.*name=.*\.\.\.'
  • Using network monitoring tools like tcpdump or Wireshark with filters for HTTP requests to /editor/elfinder/php/connector.php containing '..' in parameters.
  • Implementing web application firewall (WAF) rules to detect and block requests with directory traversal patterns in the "name" parameter.
Mitigation Strategies

Immediate mitigation steps include applying available patches that address the vulnerability in the elFinder connector endpoint. These patches introduce session validation enhancements, input sanitization, and a new function to prevent path traversal attacks.

Specifically, the fixes:

  • Enhance session validation by terminating execution if the user session is invalid.
  • Sanitize input parameters such as upload directories and URLs to prevent injection or malformed inputs.
  • Implement a preventPathTraversal function that blocks filenames containing directory traversal sequences.
  • Configure the file manager to deny uploads of PHP MIME types and disable risky commands like archive, extract, and netmount.
  • Hide and lock files matching patterns for readme and various script extensions to prevent unauthorized access or modification.

If patching immediately is not possible, consider restricting access to the vulnerable endpoint (/editor/elfinder/php/connector.php) via network controls or web server configuration to trusted users only.

Also, monitor for suspicious activity as described in detection methods to identify potential exploitation attempts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34414. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart