CVE-2026-34414

HIGH

Xerte Online Toolkits Path Traversal via connector.php

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-34414. Includes Metasploit module exploits/multi/http/xerte_unauthenticated_mediaupload.

AI-analyzed exploit summary This Metasploit module exploits an unauthenticated arbitrary file upload vulnerability in Xerte Online Toolkits by bypassing authentication, extension blacklists, and path traversal restrictions to upload and execute a PHP shell.

Description

Xerte Online Toolkits versions 3.15 and earlier contain a relative path traversal vulnerability in the elFinder connector endpoint at /editor/elfinder/php/connector.php where the name parameter in rename commands is not sanitized for path traversal sequences. Attackers can supply a name value containing directory traversal sequences to move files from project media directories to arbitrary locations on the filesystem, potentially overwriting application files, achieving stored cross-site scripting, or combining with other vulnerabilities to achieve unauthenticated remote code execution by moving PHP code files to the application root.

Exploits (1)

metasploit WORKING POC EXCELLENT

rubypoclinux

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/xerte_unauthenticated_mediaupload.rb

View Code ZIP pw:eip

This Metasploit module exploits an unauthenticated arbitrary file upload vulnerability in Xerte Online Toolkits by bypassing authentication, extension blacklists, and path traversal restrictions to upload and execute a PHP shell.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Xerte Online Toolkits versions 3.15 (commit 4e40f8030a2e3267267db7ce03e0ff57270be6f5) and earlier

No auth needed

Prerequisites: Access to the target's /editor/elfinder/php/connector.php endpoint · PHP execution environment on the target

MITRE ATT&CK