CVE-2026-41459

Summary

Xerte Online Toolkits versions 3.15 and earlier contain an information disclosure vulnerability that allows unauthenticated attackers to retrieve the full server-side filesystem path of the application root. Attackers can send a GET request to the /setup page to access the exposed root_path value rendered in the HTML response, which enables exploitation of path-dependent vulnerabilities such as relative path traversal in connector.php.

Affected Software

VendorProductVersion RangeStatus
thexerteprojectxerteonlinetoolkits3.15.0affected
thexerteprojectxerteonlinetoolkits0 < f063e942b4a9bf77a06829e844c2c70316bc45e8affected

Weaknesses

  • CWE-497: CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: yes
    • Technical Impact: partial

References