Information Disclosure Vulnerability in Xerte Online Toolkits by Xerte
CVE-2026-41459

6.9MEDIUM

Key Information:

Vendor

Thexerteproject

Status
Xerteonlinetoolkits
Vendor
CVE Published:
22 April 2026

What is CVE-2026-41459?

Xerte Online Toolkits versions 3.15 and earlier are susceptible to an information disclosure flaw that permits unauthorized users to obtain the complete server-side filesystem path of the application root. By issuing a GET request to the /setup endpoint, attackers can exploit this vulnerability to retrieve the root_path value from the HTML response. This exposure can lead to further security issues, such as relative path traversal attacks in the connector.php file, potentially compromising system integrity and confidentiality.

Affected Version(s)

xerteonlinetoolkits 3.15.0

xerteonlinetoolkits 0

References

https://xerte.org.uk/xertetoolkits_3.15_ChangeLog.html
release-notes
https://xerte.org.uk/index.php/en/downloads-1/category/3-...
productpermissions-required
https://github.com/thexerteproject/xerteonlinetoolkits/is...
issue-tracking

CVSS V4

Score:
6.9
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

bootstrapbool
.