Lucene search
K

425 matches found

RedhatCVE
RedhatCVE
added 2026/04/25 1:22 a.m.12 views

CVE-2026-34414

Xerte Online Toolkits versions 3.15 and earlier contain a relative path traversal vulnerability in the elFinder connector endpoint at /editor/elfinder/php/connector.php where the name parameter in rename commands is not sanitized for path traversal sequences. Attackers can supply a name value...

7.1CVSS6.4AI score0.02826EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2026/04/23 7:58 p.m.9 views

CVE-2026-34413

Xerte Online Toolkits versions 3.15 and earlier contain a missing authentication vulnerability in the elFinder connector endpoint at /editor/elfinder/php/connector.php where an HTTP redirect to unauthenticated callers does not call exit or die, allowing PHP execution to continue and process the...

8.8CVSS6.6AI score0.02804EPSS
Exploits1References1
NVD
NVD
added 2026/04/23 7:17 p.m.37 views

CVE-2026-41247

elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Prior to 2.1.67, elFinder contains a command injection vulnerability in the resize command. The bg background color parameter is accepted from user input and passed through image resize/rotate processing. In...

9.8CVSS0.01567EPSS
Exploits0References1
EUVD
EUVD
added 2026/04/23 6:47 p.m.7 views

EUVD-2026-25281

elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Prior to 2.1.67, elFinder contains a command injection vulnerability in the resize command. The bg background color parameter is accepted from user input and passed through image resize/rotate processing. In...

9.3CVSS6.1AI score0.01567EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/04/23 6:47 p.m.42 views

CVE-2026-41247 elFinder: Command injection in resize background color parameter when using ImageMagick CLI

elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Prior to 2.1.67, elFinder contains a command injection vulnerability in the resize command. The bg background color parameter is accepted from user input and passed through image resize/rotate processing. In...

9.3CVSS0.01567EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/04/23 6:47 p.m.4 views

CVE-2026-41247

elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Prior to 2.1.67, elFinder contains a command injection vulnerability in the resize command. The bg background color parameter is accepted from user input and passed through image resize/rotate processing. In...

9.3CVSS6.1AI score0.01567EPSS
Exploits0References2Affected Software1
Vulnrichment
Vulnrichment
added 2026/04/23 6:47 p.m.2 views

CVE-2026-41247 elFinder: Command injection in resize background color parameter when using ImageMagick CLI

elFinder is an open-source file manager for web, written in JavaScript using jQuery UI. Prior to 2.1.67, elFinder contains a command injection vulnerability in the resize command. The bg background color parameter is accepted from user input and passed through image resize/rotate processing. In...

9.3CVSS5.9AI score0.01567EPSS
Exploits0References1
CVE
CVE
added 2026/04/23 6:47 p.m.9 views

CVE-2026-41247

Vulnerability overview: elFinder

9.8CVSS6.1AI score0.01567EPSS
Exploits0References1Affected Software1
CNNVD
CNNVD
added 2026/04/23 12:0 a.m.10 views

elFinder 操作系统命令注入漏洞

ElFinder is an open-source web file manager developed by Studio 42. Versions of ElFinder prior to 2.1.67 contained a vulnerability related to operating system command injection. This vulnerability stemmed from the bg parameter in the resize command being passed into the shell command string witho...

9.8CVSS5.9AI score0.01567EPSS
Exploits0References2
EUVD
EUVD
added 2026/04/22 9:32 p.m.9 views

EUVD-2026-25068

Xerte Online Toolkits versions 3.15 and earlier contain a relative path traversal vulnerability in the elFinder connector endpoint at /editor/elfinder/php/connector.php where the name parameter in rename commands is not sanitized for path traversal sequences. Attackers can supply a name value...

7.1CVSS6.3AI score0.02826EPSS
Exploits1References8
EUVD
EUVD
added 2026/04/22 9:32 p.m.6 views

EUVD-2026-25069

Xerte Online Toolkits versions 3.15 and earlier contain an incomplete input validation vulnerability in the elFinder connector endpoint that fails to block PHP-executable extensions .php4 due to an incorrect regex pattern. Unauthenticated attackers can exploit this flaw combined with authenticati...

9.8CVSS6AI score0.03575EPSS
Exploits1References8
EUVD
EUVD
added 2026/04/22 9:32 p.m.13 views

EUVD-2026-25067

Xerte Online Toolkits versions 3.15 and earlier contain a missing authentication vulnerability in the elFinder connector endpoint at /editor/elfinder/php/connector.php where an HTTP redirect to unauthenticated callers does not call exit or die, allowing PHP execution to continue and process the...

8.8CVSS6.6AI score0.02804EPSS
Exploits1References8
NVD
NVD
added 2026/04/22 7:17 p.m.6 views

CVE-2026-34414

Xerte Online Toolkits versions 3.15 and earlier contain a relative path traversal vulnerability in the elFinder connector endpoint at /editor/elfinder/php/connector.php where the name parameter in rename commands is not sanitized for path traversal sequences. Attackers can supply a name value...

7.1CVSS0.02826EPSS
Exploits1References8
NVD
NVD
added 2026/04/22 7:17 p.m.5 views

CVE-2026-34415

Xerte Online Toolkits versions 3.15 and earlier contain an incomplete input validation vulnerability in the elFinder connector endpoint that fails to block PHP-executable extensions .php4 due to an incorrect regex pattern. Unauthenticated attackers can exploit this flaw combined with authenticati...

9.8CVSS0.03575EPSS
Exploits1References8
NVD
NVD
added 2026/04/22 7:17 p.m.14 views

CVE-2026-34413

Xerte Online Toolkits versions 3.15 and earlier contain a missing authentication vulnerability in the elFinder connector endpoint at /editor/elfinder/php/connector.php where an HTTP redirect to unauthenticated callers does not call exit or die, allowing PHP execution to continue and process the...

8.8CVSS0.02804EPSS
Exploits1References8
ATTACKERKB
ATTACKERKB
added 2026/04/22 6:33 p.m.3 views

CVE-2026-34413

Xerte Online Toolkits versions 3.15 and earlier contain a missing authentication vulnerability in the elFinder connector endpoint at /editor/elfinder/php/connector.php where an HTTP redirect to unauthenticated callers does not call exit or die, allowing PHP execution to continue and process the...

8.8CVSS6.6AI score0.02804EPSS
Exploits1References9
Cvelist
Cvelist
added 2026/04/22 6:33 p.m.30 views

CVE-2026-34413 Xerte Online Toolkits Missing Authentication via connector.php

Xerte Online Toolkits versions 3.15 and earlier contain a missing authentication vulnerability in the elFinder connector endpoint at /editor/elfinder/php/connector.php where an HTTP redirect to unauthenticated callers does not call exit or die, allowing PHP execution to continue and process the...

8.8CVSS0.02804EPSS
Exploits1References8
Vulnrichment
Vulnrichment
added 2026/04/22 6:33 p.m.5 views

CVE-2026-34413 Xerte Online Toolkits Missing Authentication via connector.php

Xerte Online Toolkits versions 3.15 and earlier contain a missing authentication vulnerability in the elFinder connector endpoint at /editor/elfinder/php/connector.php where an HTTP redirect to unauthenticated callers does not call exit or die, allowing PHP execution to continue and process the...

8.8CVSS6.6AI score0.02804EPSS
Exploits1References8
CVE
CVE
added 2026/04/22 6:33 p.m.14 views

CVE-2026-34413

Xerte Online Toolkits 3.15 and earlier suffer a missing authentication vulnerability in the elFinder connector endpoint /editor/elfinder/php/connector.php. An HTTP redirect to unauthenticated callers does not call exit() or die(), allowing PHP execution to continue and process the full request se...

8.8CVSS6.6AI score0.02804EPSS
Exploits1References8
Vulnrichment
Vulnrichment
added 2026/04/22 6:33 p.m.5 views

CVE-2026-34415 Xerte Online Toolkits File Upload RCE via elfinder Connector

Xerte Online Toolkits versions 3.15 and earlier contain an incomplete input validation vulnerability in the elFinder connector endpoint that fails to block PHP-executable extensions .php4 due to an incorrect regex pattern. Unauthenticated attackers can exploit this flaw combined with authenticati...

9.8CVSS6AI score0.03575EPSS
Exploits1References8
Rows per page
Query Builder