CVE-2026-34414
Published: 22 April 2026
Summary
CVE-2026-34414 is a high-severity Path Traversal (CWE-22) vulnerability. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 35.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires sanitization and validation of the 'name' parameter in elFinder rename commands to block path traversal sequences like '../'.
Mandates timely application of vendor patches, such as those in Xerte commits addressing the elFinder connector vulnerability.
Enforces logical access controls on filesystem resources to restrict low-privileged users from moving or overwriting files in arbitrary locations like the application root.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in public-facing web app enables T1190 exploitation; file relocation to app root facilitates web shell deployment for RCE per T1505.003.
NVD Description
Xerte Online Toolkits versions 3.15 and earlier contain a relative path traversal vulnerability in the elFinder connector endpoint at /editor/elfinder/php/connector.php where the name parameter in rename commands is not sanitized for path traversal sequences. Attackers can supply a name value…
more
containing directory traversal sequences to move files from project media directories to arbitrary locations on the filesystem, potentially overwriting application files, achieving stored cross-site scripting, or combining with other vulnerabilities to achieve unauthenticated remote code execution by moving PHP code files to the application root.
Deeper analysisAI
CVE-2026-34414 is a relative path traversal vulnerability (CWE-22) in Xerte Online Toolkits versions 3.15 and earlier. The issue affects the elFinder connector endpoint at /editor/elfinder/php/connector.php, where the name parameter in rename commands is not sanitized against path traversal sequences. It carries a CVSS v3.1 base score of 7.1 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:N).
Attackers with low-privileged access can exploit the vulnerability over the network with low complexity and no user interaction required. By supplying directory traversal sequences in the name parameter, they can move files from project media directories to arbitrary filesystem locations. This enables overwriting application files, achieving stored cross-site scripting, or combining with other flaws to enable unauthenticated remote code execution via relocation of PHP code files to the application root.
Patches addressing the vulnerability are available in the Xerte Online Toolkits GitHub repository, including commits 02661be88cc369325ea01b508086bde7fbfec805, 17e4f945fe6a3400fa88c01eda18c1075ee4a212, and 507d55c5e91bf9310b5b1c7fad8aebfef902ad23. Further details appear in GitHub issue #1527, with a proof-of-concept for remote code execution at https://github.com/bootstrapbool/xerteonlinetoolkits-rce.
Details
- CWE(s)