CVE-2026-34415

Name of the Vulnerable Software and Affected Versions Xerte Online Toolkits versions 3.15 and earlier

Description Incomplete input validation in the elFinder connector endpoint fails to block PHP-executable extensions such as .php4 due to an incorrect regex pattern. Unauthenticated attackers can combine this flaw with authentication bypass and path traversal to upload malicious PHP code, rename it with a .php4 extension, and execute arbitrary operating system commands on the server.

Recommendations Update to a version later than 3.15.