CVE-2026-34414

Name of the Vulnerable Software and Affected Versions Xerte Online Toolkits versions 3.15 and earlier

Description A relative path traversal issue exists in the elFinder connector endpoint '/editor/elfinder/php/connector.php'. The name parameter in rename commands is not properly sanitized for path traversal sequences. This allows attackers to move files from project media directories to arbitrary locations on the filesystem. Such actions could lead to the overwriting of application files, stored cross-site scripting, or unauthenticated remote code execution by moving PHP code files to the application root.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.