CVE-2026-34413 affects thexerteproject's xerteonlinetoolkits (version 3.15 and earlier) due to a missing authentication check in the elFinder connector endpoint (/editor/elfinder/php/connector.php). When an unauthenticated HTTP request triggers a redirect, the server fails to terminate execution, allowing the PHP script to continue processing the request. This enables unauthenticated attackers to manipulate files within project media directories, including creating, uploading, renaming, duplicating, overwriting, and deleting files. Exploitation can be escalated by chaining with path traversal and extension blocklist vulnerabilities to execute arbitrary code and read arbitrary files on the server.

The vulnerability allows unauthenticated attackers to perform unauthorized file operations on the server hosting xerteonlinetoolkits, potentially leading to remote code execution and arbitrary file disclosure. This compromises the confidentiality, integrity, and availability of the affected system and its data. The CVSS 4.0 base score is 8.8 (high severity), reflecting the network attack vector, no required privileges or user interaction, and high impact on confidentiality and integrity.

No official patch or remediation is currently available as per the vendor advisory and known data. Users should monitor thexerteproject's official channels for updates and apply any forthcoming patches promptly. Until a fix is released, restricting access to the vulnerable endpoint and implementing compensating controls such as web application firewalls to block unauthorized requests may reduce exposure. Patch status is not yet confirmed — check the vendor advisory for current remediation guidance.