CVE-2026-34415 - Vulnerability Analysis
CriticalCVSS: 9.8Last Updated: April 22, 2026
Xerte Online Toolkits - Command Injection
Published: April 22, 2026Updated: April 22, 2026Remote Exploitable
Overview
Xerte Online Toolkits <= 3.15 contains a command injection caused by incomplete input validation in elFinder connector allowing .php4 extensions, letting unauthenticated attackers execute arbitrary OS commands via upload and rename, exploit requires no authentication.
Severity & Score
Severity: Critical
CVSS Score: 9.8
Impact
Unauthenticated attackers can execute arbitrary operating system commands, potentially leading to full server compromise.
Mitigation
Update to the latest version beyond 3.15.
References
- https://github.com/thexerteproject/xerteonlinetoolkits/commit/02661be88cc369325ea01b508086bde7fbfec805
- https://github.com/thexerteproject/xerteonlinetoolkits/commit/17e4f945fe6a3400fa88c01eda18c1075ee4a212
- https://github.com/thexerteproject/xerteonlinetoolkits/commit/507d55c5e91bf9310b5b1c7fad8aebfef902ad23
- https://github.com/thexerteproject/xerteonlinetoolkits/issues/1527
- https://www.vulncheck.com/advisories/xerte-online-toolkits-file-upload-rce-via-elfinder-connector
- https://xerte.org.uk/index.php/en/downloads-1/category/3-xerte-online-toolkits
- https://xerte.org.uk/xertetoolkits_3.15_ChangeLog.html
Related Resources
Details
- CVE ID
- CVE-2026-34415
- Severity
- Critical
- CVSS Score
- 9.8
- Type
- command_injection
- Status
- rejected
CWE
- CWE-184
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H