Xerte Online Toolkit unauth RCE via file upload (CVE-2026-34415)

Patch now - CVE-2026-34415 is a critical remote code execution in Xerte Online Toolkit 3.15 and earlier that grants unauthenticated attackers full server compromise via a path traversal and incomplete input validation chain. Upgrade to version 3.16 immediately.

Overview

A critical security vulnerability in Xerte Online Toolkit allows unauthenticated attackers to execute arbitrary commands on the underlying server. Tracked as CVE-2026-34415, this flaw has a maximum CVSS score of 9.8 due to its network accessibility and lack of required privileges or user interaction.

Vulnerability Details

The vulnerability is a chain of three issues within the elFinder file manager connector. Primarily, the input validation filter designed to block executable PHP files contains an incomplete regular expression. This filter fails to recognize the .php4 file extension, allowing it to pass through. Attackers can combine this with separate authentication bypass and path traversal flaws to upload a malicious file, rename it with the .php4 extension, and trigger its execution. This results in full remote code execution (RCE) on the host.

Affected Products

• Xerte Online Toolkit versions 3.15 and earlier. All deployments with the vulnerable elFinder component are at risk.

Impact

Successful exploitation grants an unauthenticated remote attacker the ability to run operating system commands with the privileges of the web server process. This can lead to complete system compromise, data theft, deployment of ransomware or other malware, and use of the server as a foothold for further attacks within the network.

Remediation and Mitigation

The primary and only complete mitigation is to upgrade Xerte Online Toolkit to version 3.16 or later, which contains a corrected filter. The vendor has released patches addressing the entire vulnerability chain.

Immediate Actions:

1. Patch: Upgrade all instances to version 3.16 without delay.
2. Investigate: Review server access and file system logs for any suspicious .php4 file uploads or unexpected process execution originating from the web server user. For more on post-incident analysis, see our breach reports.
3. Network Controls: As a temporary measure if patching is impossible, restrict network access to the Xerte application to only trusted users or networks. This reduces the attack surface but does not eliminate the vulnerability.

Security Insight

This vulnerability underscores the critical importance of defense-in-depth within single components. The flaw was not a single misstep but a chain of failures-insecure default configuration, flawed input validation, and insufficient path sanitization-within the integrated elFinder library. It mirrors past incidents where “simple” file upload features become major RCE vectors, highlighting that third-party libraries must be vetted and hardened as rigorously as core application code. For ongoing coverage of similar threats, follow our security news.

Further Reading

• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs