CVE-2026-34413

Name of the Vulnerable Software and Affected Versions Xerte Online Toolkits versions 3.15 and earlier

Description A missing authentication issue exists in the elFinder connector endpoint '/editor/elfinder/php/connector.php'. An HTTP redirect to unauthenticated callers fails to call exit() or die(), allowing PHP execution to continue and process the full request server-side. Unauthenticated attackers can perform file operations on project media directories, including creating, renaming, duplicating, overwriting, and deleting files, as well as uploading files. This can be combined with path traversal and extension blocklist issues to achieve remote code execution and arbitrary file read.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.