CVE-2026-41459
MEDIUM
NVD
CVSS Score
5.3
Severity
MEDIUM
Published
Apr 22, 2026
Vendor
unknown
Description
Xerte Online Toolkits versions 3.15 and earlier contain an information disclosure vulnerability that allows unauthenticated attackers to retrieve the full server-side filesystem path of the application root. Attackers can send a GET request to the /setup page to access the exposed root_path value rendered in the HTML response, which enables exploitation of path-dependent vulnerabilities such as relative path traversal in connector.php.
References
- https://github.com/thexerteproject/xerteonlinetoolkits/commit/f063e942b4a9bf77a06829e844c2c70316bc45e8
- https://github.com/thexerteproject/xerteonlinetoolkits/issues/1527
- https://www.vulncheck.com/advisories/xerte-online-toolkits-path-disclosure-via-setup
- https://xerte.org.uk/index.php/en/downloads-1/category/3-xerte-online-toolkits
- https://xerte.org.uk/xertetoolkits_3.15_ChangeLog.html