Which versions of Xerte Online Toolkits are affected by CVE-2026-34414?

Xerte Online Toolkits versions 3.15 and earlier contain a path traversal vulnerability in the elFinder file connector that allows authenticated users to move files to arbitrary locations, potentially…. A patch is available.

Is there a public PoC exploit available for CVE-2026-34414?

Yes, a public proof-of-concept exploit is available for CVE-2026-34414. Prioritise patching immediately. EPSS: 0.1%.

How to fix or mitigate CVE-2026-34414?

Within 24 hours: Inventory all Xerte Online Toolkits instances and identify versions running 3.15 or earlier. Within 7 days: Apply vendor patch via GitHub commits 02661be, 507d55c, or 17e4f94 to all affected instances; verify patched version deployment. Within 30 days: Conduct file integrity audit on all Xerte instances to detect any unauthorized file modifications during the patching window.

Xerte Online Toolkits CVE-2026-34414

Q: What is the CVSS score of CVE-2026-34414?

CVE-2026-34414 has a CVSS 4.0 base score of 7.1 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

EUVD-2026-25068 HIGH

Path Traversal (CWE-22)

2026-04-22 VulnCheck

GHSA-qmm4-q4hj-r5cm

RCE PHP XSS Path Traversal

7.1

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

7.1 HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Re-analysis Queued

Apr 24, 2026 - 20:22 vuln.today

cvss_changed

Analysis Generated

Apr 23, 2026 - 06:57 vuln.today

EUVD ID Assigned

Apr 22, 2026 - 19:01 euvd

EUVD-2026-25068

Analysis Generated

Apr 22, 2026 - 19:01 vuln.today

Patch released

Apr 22, 2026 - 19:01 nvd

Patch available

CVE Published

Apr 22, 2026 - 18:32 nvd

HIGH 7.1

DescriptionCVE.org

Xerte Online Toolkits versions 3.15 and earlier contain a relative path traversal vulnerability in the elFinder connector endpoint at /editor/elfinder/php/connector.php where the name parameter in rename commands is not sanitized for path traversal sequences. Attackers can supply a name value containing directory traversal sequences to move files from project media directories to arbitrary locations on the filesystem, potentially overwriting application files, achieving stored cross-site scripting, or combining with other vulnerabilities to achieve unauthenticated remote code execution by moving PHP code files to the application root.

AnalysisAI

Path traversal in Xerte Online Toolkits' elFinder connector allows authenticated attackers to move files to arbitrary filesystem locations, enabling application file overwrites, stored XSS, or chained remote code execution. Affects versions 3.15 and earlier through unsanitized rename operations at /editor/elfinder/php/connector.php. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon

Authenticate with low-privilege account

Delivery

Upload malicious PHP file to project media

Exploit

Intercept rename POST to /editor/elfinder/php/connector.php

Install

Inject traversal sequences in name parameter

Move file to application root

Execute

Execute relocated PHP via HTTP request

Impact

Achieve RCE with web server privileges

Recon

Authenticate with low-privilege account

Delivery

Upload malicious PHP file to project media

Exploit

Intercept rename POST to /editor/elfinder/php/connector.php

Install

Inject traversal sequences in name parameter

Move file to application root

Execute

Execute relocated PHP via HTTP request

Impact

Achieve RCE with web server privileges

Vulnerability AssessmentAI

Exploitation	Requires authenticated access with low privileges (PR:L in CVSS vector) to Xerte Online Toolkits, specifically user accounts with permission to create projects and upload files to project media directories. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS 7.1 score reflects high integrity impact (VI:H) with network attack vector (AV:N), low complexity (AC:L), and low privileges required (PR:L), indicating straightforward exploitation by any authenticated user. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An authenticated attacker with low-privilege access to Xerte Online Toolkits creates a learning project and uploads a malicious PHP shell to their project media directory (legitimate functionality). They intercept the rename request to /editor/elfinder/php/connector.php and modify the 'name' parameter to '../../../index.php' or '../../../shell.php', moving their uploaded file from the sandboxed media directory to the application root. …
Remediation	Apply vendor patches immediately by upgrading to Xerte Online Toolkits version incorporating GitHub commits 02661be88cc369325ea01b508086bde7fbfec805, 507d55c5e91bf9310b5b1c7fad8aebfef902ad23, and 17e4f945fe6a3400fa88c01eda18c1075ee4a212, available from https://xerte.org.uk/index.php/en/downloads-1/category/3-xerte-online-toolkits. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Xerte Online Toolkits instances and identify versions running 3.15 or earlier. …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-49952 CRITICAL Act Now POC

9.3 Jun 15

Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce

CVE-2026-49954 HIGH This Week POC

8.6 Jun 15

Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a

CVE-2026-49768 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to

CVE-2026-27053 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot

CVE-2026-49104 CRITICAL Act Now

9.8 Jun 15

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo

CVE-2026-34414 vulnerability details – vuln.today

Back

Xerte Online Toolkits CVE-2026-34414

Severity by source

CVSS VectorNVD

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

More from same product – last 7 days

Share

External POC / Exploit Code