Summary
| Parameter | Value |
|---|---|
| CVE ID | CVE-2026-34415 |
| Alert Source | GitHub Advisory - Critical Vulnerability |
| CVE Publication Year | 2026 |
| Date Published | 2026-04-22 |
| Vendor | Xerte Project |
| Product | Xerte Online Toolkits |
| CVSS Score | 9.8 (critical) |
| EPSS Score | No data |
| CISA KEV | No |
| Ransomware | Not confirmed |
Vulnerability Description
Xerte Online Toolkits versions 3.15 and earlier contain an incomplete input validation vulnerability in the elFinder connector endpoint that fails to block PHP-executable extensions .php4 due to an incorrect regex pattern. Unauthenticated attackers can exploit this flaw combined with authentication bypass and path traversal vulnerabilities to upload malicious PHP code, rename it with a .php4 extension, and execute arbitrary operating system commands on the server.
Required Actions
Update Xerte Online Toolkits to a version higher than 3.15 immediately, where the vulnerability has been fixed. Until the update is applied, restrict access to the elFinder endpoint via WAF or network controls, block uploads of non-standard PHP extensions (.php4, .phtml, .phar) at the server level, and review logs for upload and rename attempts.
Who Is Affected?
This vulnerability affects Xerte Online Toolkits versions 3.15 and earlier. Check whether your organization uses this educational software and update the installation to the patched version without delay.
Sources
Need help securing your systems? nFlo team offers vulnerability management and 24/7 SOC services. Contact us.
