{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34414", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-03-27T15:24:06.752Z", "datePublished": "2026-04-22T18:32:45.737Z", "dateUpdated": "2026-04-29T13:46:42.483Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-04-24T19:29:10.127Z"}, "title": "Xerte Online Toolkits Path Traversal via connector.php", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "affected": [{"vendor": "thexerteproject", "product": "xerteonlinetoolkits", "repo": "https://github.com/thexerteproject/xerteonlinetoolkits", "versions": [{"status": "affected", "version": "3.15.0", "versionType": "semver"}, {"status": "affected", "version": "3.14.0", "versionType": "semver"}, {"status": "affected", "version": "3.13.0", "versionType": "semver"}, {"status": "affected", "version": "0", "lessThan": "02661be88cc369325ea01b508086bde7fbfec805", "versionType": "git"}, {"status": "affected", "version": "0", "lessThan": "17e4f945fe6a3400fa88c01eda18c1075ee4a212", "versionType": "git"}, {"status": "affected", "version": "0", "lessThan": "507d55c5e91bf9310b5b1c7fad8aebfef902ad23", "versionType": "git"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Xerte Online Toolkits versions 3.15 and earlier contain a relative path traversal vulnerability in the elFinder connector endpoint at /editor/elfinder/php/connector.php where the name parameter in rename commands is not sanitized for path traversal sequences. Attackers can supply a name value containing directory traversal sequences to move files from project media directories to arbitrary locations on the filesystem, potentially overwriting application files, achieving stored cross-site scripting, or combining with other vulnerabilities to achieve unauthenticated remote code execution by moving PHP code files to the application root.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Xerte Online Toolkits versions 3.15 and earlier contain a relative path traversal vulnerability in the elFinder connector endpoint at /editor/elfinder/php/connector.php where the name parameter in rename commands is not sanitized for path traversal sequences. Attackers can supply a name value containing directory traversal sequences to move files from project media directories to arbitrary locations on the filesystem, potentially overwriting application files, achieving stored cross-site scripting, or combining with other vulnerabilities to achieve unauthenticated remote code execution by moving PHP code files to the application root.<br>"}]}], "references": [{"url": "https://github.com/bootstrapbool/xerteonlinetoolkits-rce", "tags": ["technical-description", "exploit"]}, {"url": "https://xerte.org.uk/xertetoolkits_3.15_ChangeLog.html", "tags": ["release-notes"]}, {"url": "https://xerte.org.uk/index.php/en/downloads-1/category/3-xerte-online-toolkits", "tags": ["product", "permissions-required"]}, {"url": "https://github.com/thexerteproject/xerteonlinetoolkits/issues/1527", "tags": ["issue-tracking"]}, {"url": "https://github.com/thexerteproject/xerteonlinetoolkits/commit/02661be88cc369325ea01b508086bde7fbfec805", "tags": ["patch"]}, {"url": "https://github.com/thexerteproject/xerteonlinetoolkits/commit/17e4f945fe6a3400fa88c01eda18c1075ee4a212", "tags": ["patch"]}, {"url": "https://github.com/thexerteproject/xerteonlinetoolkits/commit/507d55c5e91bf9310b5b1c7fad8aebfef902ad23", "tags": ["patch"]}, {"url": "https://www.vulncheck.com/advisories/xerte-online-toolkits-path-traversal-via-connector-php", "tags": ["third-party-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "HIGH", "baseScore": 7.1, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N"}}, {"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "availabilityImpact": "NONE", "baseSeverity": "HIGH", "baseScore": 7.1, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N"}}], "credits": [{"lang": "en", "value": "bootstrapbool", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-29T13:46:36.369051Z", "id": "CVE-2026-34414", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-29T13:46:42.483Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34414", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-29T13:46:36.369051Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-22T18:53:42.892Z"}}], "cna": {"title": "Xerte Online Toolkits Path Traversal via connector.php", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "bootstrapbool"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 7.1, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.1, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/thexerteproject/xerteonlinetoolkits", "vendor": "thexerteproject", "product": "xerteonlinetoolkits", "versions": [{"status": "affected", "version": "3.15.0", "versionType": "semver"}, {"status": "affected", "version": "3.14.0", "versionType": "semver"}, {"status": "affected", "version": "3.13.0", "versionType": "semver"}, {"status": "affected", "version": "0", "lessThan": "02661be88cc369325ea01b508086bde7fbfec805", "versionType": "git"}, {"status": "affected", "version": "0", "lessThan": "17e4f945fe6a3400fa88c01eda18c1075ee4a212", "versionType": "git"}, {"status": "affected", "version": "0", "lessThan": "507d55c5e91bf9310b5b1c7fad8aebfef902ad23", "versionType": "git"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://github.com/bootstrapbool/xerteonlinetoolkits-rce", "tags": ["technical-description", "exploit"]}, {"url": "https://xerte.org.uk/xertetoolkits_3.15_ChangeLog.html", "tags": ["release-notes"]}, {"url": "https://xerte.org.uk/index.php/en/downloads-1/category/3-xerte-online-toolkits", "tags": ["product", "permissions-required"]}, {"url": "https://github.com/thexerteproject/xerteonlinetoolkits/issues/1527", "tags": ["issue-tracking"]}, {"url": "https://github.com/thexerteproject/xerteonlinetoolkits/commit/02661be88cc369325ea01b508086bde7fbfec805", "tags": ["patch"]}, {"url": "https://github.com/thexerteproject/xerteonlinetoolkits/commit/17e4f945fe6a3400fa88c01eda18c1075ee4a212", "tags": ["patch"]}, {"url": "https://github.com/thexerteproject/xerteonlinetoolkits/commit/507d55c5e91bf9310b5b1c7fad8aebfef902ad23", "tags": ["patch"]}, {"url": "https://www.vulncheck.com/advisories/xerte-online-toolkits-path-traversal-via-connector-php", "tags": ["third-party-advisory"]}], "x_generator": {"engine": "Vulnogram 1.0.1"}, "descriptions": [{"lang": "en", "value": "Xerte Online Toolkits versions 3.15 and earlier contain a relative path traversal vulnerability in the elFinder connector endpoint at /editor/elfinder/php/connector.php where the name parameter in rename commands is not sanitized for path traversal sequences. Attackers can supply a name value containing directory traversal sequences to move files from project media directories to arbitrary locations on the filesystem, potentially overwriting application files, achieving stored cross-site scripting, or combining with other vulnerabilities to achieve unauthenticated remote code execution by moving PHP code files to the application root.", "supportingMedia": [{"type": "text/html", "value": "Xerte Online Toolkits versions 3.15 and earlier contain a relative path traversal vulnerability in the elFinder connector endpoint at /editor/elfinder/php/connector.php where the name parameter in rename commands is not sanitized for path traversal sequences. Attackers can supply a name value containing directory traversal sequences to move files from project media directories to arbitrary locations on the filesystem, potentially overwriting application files, achieving stored cross-site scripting, or combining with other vulnerabilities to achieve unauthenticated remote code execution by moving PHP code files to the application root.<br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-22", "description": "CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-04-24T19:29:10.127Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34414", "state": "PUBLISHED", "dateUpdated": "2026-04-29T13:46:42.483Z", "dateReserved": "2026-03-27T15:24:06.752Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2026-04-22T18:32:45.737Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Xerte Online Toolkits versions 3.15 and earlier contain a relative path traversal vulnerability in the elFinder connector endpoint at /editor/elfinder/php/connector.php where the name parameter in rename commands is not sanitized for path traversal sequences. Attackers can supply a name value containing directory traversal sequences to move files from project media directories to arbitrary locations on the filesystem, potentially overwriting application files, achieving stored cross-site scripting, or combining with other vulnerabilities to achieve unauthenticated remote code execution by moving PHP code files to the application root."}], "id": "CVE-2026-34414", "lastModified": "2026-04-24T20:16:25.203", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 4.2, "source": "disclosure@vulncheck.com", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-04-22T19:17:04.033", "references": [{"source": "disclosure@vulncheck.com", "url": "https://github.com/bootstrapbool/xerteonlinetoolkits-rce"}, {"source": "disclosure@vulncheck.com", "url": "https://github.com/thexerteproject/xerteonlinetoolkits/commit/02661be88cc369325ea01b508086bde7fbfec805"}, {"source": "disclosure@vulncheck.com", "url": "https://github.com/thexerteproject/xerteonlinetoolkits/commit/17e4f945fe6a3400fa88c01eda18c1075ee4a212"}, {"source": "disclosure@vulncheck.com", "url": "https://github.com/thexerteproject/xerteonlinetoolkits/commit/507d55c5e91bf9310b5b1c7fad8aebfef902ad23"}, {"source": "disclosure@vulncheck.com", "url": "https://github.com/thexerteproject/xerteonlinetoolkits/issues/1527"}, {"source": "disclosure@vulncheck.com", "url": "https://www.vulncheck.com/advisories/xerte-online-toolkits-path-traversal-via-connector-php"}, {"source": "disclosure@vulncheck.com", "url": "https://xerte.org.uk/index.php/en/downloads-1/category/3-xerte-online-toolkits"}, {"source": "disclosure@vulncheck.com", "url": "https://xerte.org.uk/xertetoolkits_3.15_ChangeLog.html"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "disclosure@vulncheck.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.15.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.14.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.13.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,02661be88cc369325ea01b508086bde7fbfec805)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,17e4f945fe6a3400fa88c01eda18c1075ee4a212)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,507d55c5e91bf9310b5b1c7fad8aebfef902ad23)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "xerteonlinetoolkits", "source": "cna", "vendor": "thexerteproject"}, "product": "xerteonlinetoolkits", "vendor": "thexerteproject"}], "analysis": {"en": {"generated_at": "2026-04-27T08:31:41.386392+00:00", "value": {"mitigation_remediation": ["Update Xerte Online Toolkits to the latest stable release that includes the path\u2011traversal fix, or apply the patch commits linked in the advisory references.", "Configure the web\u2011server or application to require authentication for the elFinder connector endpoint, ensuring only authorized users can invoke rename operations.", "Verify that file upload directories are tightly permission\u2011restricted and that the application does not allow PHP files to be stored in the web root; adjust directory layout or filesystem controls to prevent accidental code execution."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The affected product is Xerte Online Toolkits from The Xerte Project. Versions 3.15 and earlier are vulnerable; all later releases are considered safe if updated accordingly.", "description_and_impact": "The vulnerability is a relative path traversal flaw in the elFinder connector of Xerte Online Toolkits. Specifically, the \"name\" parameter in rename commands is not validated for traversal sequences, allowing an attacker to specify paths that move files from project media directories to arbitrary locations. This defect enables an attacker to overwrite application files, embed stored cross\u2011site scripting payloads, or, if combined with other weaknesses, to place PHP code in the application root and achieve unauthenticated remote code execution. The weakness is classified as CWE\u201122, a classic path traversal issue.", "risk_and_exploitability": "The CVSS score of 7.1 reflects a moderate severity. No EPSS score is publicly available, and the issue is not listed in the CISA KEV catalog, suggesting no known widespread exploitation at this time. Potential attackers can exploit the flaw remotely by sending crafted HTTP requests to /editor/elfinder/php/connector.php, leveraging the unsanitized \"name\" parameter to write arbitrary files and ultimately compromise the server if PHP files are dropped into the web root."}}}}, "created": "2026-04-27T18:42:00.089109+00:00", "updated": "2026-04-27T19:53:16.909745+00:00", "vendors": ["thexerteproject", "thexerteproject$PRODUCT$xerteonlinetoolkits"]}