Vulnerability in Thexerteproject Xerteonlinetoolkits
CVE-2026-34413
Xerte Online Toolkits versions 3.15 and earlier contain a missing authentication vulnerability in the elFinder connector endpoint at /editor/elfinder/php/connector.php where an HTTP redirect to unauthenticated callers does not call exit()…
EPSS: 0.004 (63.2th percentile) — read the EPSS interpretation.
CVSS v3 metric
CVSS v3 base score 8.6 (High). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:L.
Affected products
- Thexerteproject Xerteonlinetoolkits — versions 3.15.0, 3.14.0, 3.13.0
Weakness classification (CWE)
References
- github.com/bootstrapbool/xerteonlinetoolkits-rce (technical-description, exploit)
- xerte.org.uk/xertetoolkits_3.15_ChangeLog.html (release-notes)
- xerte.org.uk/index.php/en/downloads-1/category/3-xerte-online-toolkits (product, permissions-required)
- github.com/thexerteproject/xerteonlinetoolkits/issues/1527 (issue-tracking)
- github.com/thexerteproject/xerteonlinetoolkits/commit/02661be88cc369325ea01b508… (patch)
- github.com/thexerteproject/xerteonlinetoolkits/commit/17e4f945fe6a3400fa88c01ed… (patch)
- github.com/thexerteproject/xerteonlinetoolkits/commit/507d55c5e91bf9310b5b1c7fa… (patch)
- www.vulncheck.com/advisories/xerte-online-toolkits-missing-authentication-via-c… (third-party-advisory)
Frequently asked questions
- What is CVE-2026-34413?
- CVE-2026-34413 is a high-severity vulnerability in Thexerteproject Xerteonlinetoolkits, classified under Exposure of Sensitive System Information to an Unauthorized Control Sphere. CVSS score: 8.6/10. Published 2026-04-22.
- How severe is CVE-2026-34413?
- High severity. CVSS v3 base score is 8.6 out of 10.