Cyber Posture

CVE-2026-34413

HighPublic PoC

Published: 22 April 2026

Published
22 April 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score 8.6 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L
EPSS Score 0.0041 61.4th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Description

Xerte Online Toolkits versions 3.15 and earlier contain a missing authentication vulnerability in the elFinder connector endpoint at /editor/elfinder/php/connector.php where an HTTP redirect to unauthenticated callers does not call exit() or die(), allowing PHP execution to continue and process the…

more

full request server-side. Unauthenticated attackers can perform file operations on project media directories including creating directories, uploading files, renaming files, duplicating files, overwriting files, and deleting files, which can be chained with path traversal and extension blocklist vulnerabilities to achieve remote code execution and arbitrary file read.

Mitigating Controls (NIST 800-53 r5)AI

AC-14 Permitted Actions Without Identification or Authentication good match
prevent

AC-14 explicitly limits actions permitted without identification or authentication, directly preventing unauthenticated file operations on the elFinder connector endpoint.

AC-3 Access Enforcement good match
prevent

AC-3 enforces approved access authorizations, addressing the failure to halt execution after redirecting unauthenticated callers.

SI-2 Flaw Remediation good match
prevent

SI-2 requires timely flaw remediation, directly mitigated by applying the vendor patches that fix the authentication bypass in the connector.php endpoint.

Security SummaryAI

Xerte Online Toolkits versions 3.15 and earlier are affected by CVE-2026-34413, a missing authentication vulnerability in the elFinder connector endpoint at /editor/elfinder/php/connector.php. The issue arises because an HTTP redirect sent to unauthenticated callers fails to invoke exit() or die(), permitting PHP execution to continue server-side and process the full request. This flaw, classified under CWE-497 (Exposure of Sensitive System Information to an Unauthorized Control Sphere), carries a CVSS v3.1 base score of 8.6 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L).

Unauthenticated remote attackers can exploit this vulnerability to perform arbitrary file operations on project media directories, including creating directories, uploading files, renaming files, duplicating files, overwriting files, and deleting files. These capabilities can be chained with path traversal and extension blocklist vulnerabilities to achieve remote code execution and arbitrary file reads.

Mitigation is addressed in patches from the Xerte Online Toolkits project, including commits 02661be88cc369325ea01b508086bde7fbfec805, 17e4f945fe6a3400fa88c01eda18c1075ee4a212, and 507d55c5e91bf9310b5b1c7fad8aebfef902ad23 available on GitHub. A proof-of-concept for remote code execution is documented at https://github.com/bootstrapbool/xerteonlinetoolkits-rce, and the issue is tracked at https://github.com/thexerteproject/xerteonlinetoolkits/issues/1527. Security practitioners should apply these updates promptly to affected installations.

Details

CWE(s)
CWE-497

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
attack.mitre.org →
Why these techniques?

Unauthenticated arbitrary file operations on web-accessible project media directories directly enable exploitation of a public-facing application (T1190) and facilitate web shell deployment via malicious file uploads (T1100), with chaining to RCE.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References