Xerte Online Toolkits File Upload RCE Vulnerability Summary Vulnerability Overview The connector endpoint in Xerte Online Toolkits has an incomplete input validation vulnerability. This flaw fails to block uploads of PHP executable extensions (such as ) due to the use of an incorrect regular expression pattern. Attack Path: 1. Exploit this vulnerability in combination with authentication bypass and path traversal vulnerabilities to upload malicious PHP code. 2. Rename the file to have a extension. 3. Execute arbitrary operating system commands on the server. Impact Scope Affected Versions: Xerte Online Toolkits v3.15.0 and earlier versions. Severity: Critical (CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N) Release Date: 2026/04/22/2026 Remediation Fixed Version: Versions after v3.15.0. Fix Commit: commit 02661be References: v3.15 Change Log GitHub Issue v3.15 Patch Commit v3.14 Patch Commit * v3.13 Patch Commit