216.73.217.64

CVE-2026-34414

· Published 22/04/2026 19:17 · Modified 22/04/2026 21:18

Labels: CVE-2026-34414 2026-04-22CVE-2026-34414CWE-22[email protected]

Essential information

Published
22/04/2026 19:17
Modified
22/04/2026 21:18
Author
Creator
CVSS
7.1 HIGH (v3) 7.1 HIGH (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

Xerte Online Toolkits versions 3.15 and earlier contain a relative path traversal vulnerability in the elFinder connector endpoint at /editor/elfinder/php/connector.php where the name parameter in rename commands is not sanitized for path traversal sequences. Attackers can supply a name value containing directory traversal sequences to move files from project media directories to arbitrary locations on the filesystem, potentially overwriting application files, achieving stored cross-site scripting, or combining with other vulnerabilities to achieve unauthenticated remote code execution by moving PHP code files to the application root.

NVD status

Status
Deferred — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
xerte / xerte online toolkits cpe:2.3:a:xerte:xerte_online_toolkits:3.15:*:*:*:*:*:*:*
xerte / xerte online toolkits cpe:2.3:a:xerte:xerte_online_toolkits:*:*:*:*:*:*:*:*

References