Cyber Resilience

CVE-2026-34414

HighPublic PoC

Published: 22 April 2026

Published
22 April 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score v4 7.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0013 32.4th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-34414 is a high-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 32.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-34414 is a relative path traversal vulnerability (CWE-22) in Xerte Online Toolkits versions 3.15 and earlier. The issue affects the elFinder connector endpoint at /editor/elfinder/php/connector.php, where the name parameter in rename commands is not sanitized against path traversal sequences. It carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N).

Attackers with low-privileged access can exploit the vulnerability over the network with low complexity and no user interaction required. By supplying directory traversal sequences in the name parameter, they can move files from project media directories to arbitrary filesystem locations. This enables overwriting application files, achieving stored cross-site scripting, or combining with other flaws to enable unauthenticated remote code execution via relocation of PHP code files to the application root.

Patches addressing the vulnerability are available in the Xerte Online Toolkits GitHub repository, including commits 02661be88cc369325ea01b508086bde7fbfec805, 17e4f945fe6a3400fa88c01eda18c1075ee4a212, and 507d55c5e91bf9310b5b1c7fad8aebfef902ad23. Further details appear in GitHub issue #1527, with a proof-of-concept for remote code execution at https://github.com/bootstrapbool/xerteonlinetoolkits-rce.

EU & UK References

Vulnerability details

Xerte Online Toolkits versions 3.15 and earlier contain a relative path traversal vulnerability in the elFinder connector endpoint at /editor/elfinder/php/connector.php where the name parameter in rename commands is not sanitized for path traversal sequences. Attackers can supply a name value…

more

containing directory traversal sequences to move files from project media directories to arbitrary locations on the filesystem, potentially overwriting application files, achieving stored cross-site scripting, or combining with other vulnerabilities to achieve unauthenticated remote code execution by moving PHP code files to the application root.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

Path traversal in public-facing web app enables T1190 exploitation; file relocation to app root facilitates web shell deployment for RCE per T1505.003.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2025-1661Shared CWE-22
CVE-2026-33529Shared CWE-22
CVE-2026-9550Shared CWE-22
CVE-2024-44373Shared CWE-22
CVE-2019-25471Shared CWE-22
CVE-2024-11642Shared CWE-22
CVE-2025-67684Shared CWE-22
CVE-2025-41758Shared CWE-22
CVE-2025-12382Shared CWE-22
CVE-2025-54446Shared CWE-22

Affected Assets

Xerte Online Toolkits
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires sanitization and validation of the 'name' parameter in elFinder rename commands to block path traversal sequences like '../'.

prevent

Mandates timely application of vendor patches, such as those in Xerte commits addressing the elFinder connector vulnerability.

prevent

Enforces logical access controls on filesystem resources to restrict low-privileged users from moving or overwriting files in arbitrary locations like the application root.

References