Cyber Posture

CVE-2026-34415

CriticalPublic PoC

Published: 22 April 2026

Published
22 April 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0022 45.0th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Xerte Online Toolkits versions 3.15 and earlier contain an incomplete input validation vulnerability in the elFinder connector endpoint that fails to block PHP-executable extensions .php4 due to an incorrect regex pattern. Unauthenticated attackers can exploit this flaw combined with authentication…

more

bypass and path traversal vulnerabilities to upload malicious PHP code, rename it with a .php4 extension, and execute arbitrary operating system commands on the server.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly addresses the incomplete input validation vulnerability by enforcing proper validation of file extension inputs in the elFinder connector to block PHP-executable extensions like .php4.

SI-2 Flaw Remediation good match
prevent

Mitigates the vulnerability by requiring timely remediation of the specific flaw through application of available patches that fix the incorrect regex pattern.

SI-9 Information Input Restrictions partial match
prevent

Provides additional protection by restricting file upload inputs to only safe, non-executable extensions, complementing validation to prevent malicious PHP uploads.

Security SummaryAI

CVE-2026-34415 is an incomplete input validation vulnerability in the elFinder connector endpoint of Xerte Online Toolkits versions 3.15 and earlier. The issue arises from an incorrect regex pattern that fails to block PHP-executable extensions such as .php4, allowing potentially malicious file uploads.

Unauthenticated attackers can exploit this flaw in combination with separate authentication bypass and path traversal vulnerabilities to upload malicious PHP code, rename it with a .php4 extension, and execute arbitrary operating system commands on the server. The vulnerability has a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating critical severity with high confidentiality, integrity, and availability impacts.

Mitigation is available through patches in the Xerte Online Toolkits repository, including commits 02661be88cc369325ea01b508086bde7fbfec805, 17e4f945fe6a3400fa88c01eda18c1075ee4a212, and 507d55c5e91bf9310b5b1c7fad8aebfef902ad23. The issue is tracked at https://github.com/thexerteproject/xerteonlinetoolkits/issues/1527, and a proof-of-concept for remote code execution is published at https://github.com/bootstrapbool/xerteonlinetoolkits-rce. Affected installations should apply these updates promptly.

Details

CWE(s)
CWE-184

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
attack.mitre.org →
Why these techniques?

The vulnerability enables unauthenticated exploitation of a public-facing web application (T1190) to upload and execute malicious PHP code functioning as a web shell (T1100) for arbitrary OS command execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References