CVE-2026-41459

Xerte Online Toolkits Path Disclosure via /setup

CVSS 6.9 MEDIUMEPSS 0.8%CWE-497

Xerte Online Toolkits versions 3.15 and earlier contain an information disclosure vulnerability that allows unauthenticated attackers to retrieve the full server-side filesystem path of the application root. Attackers can send a GET request to the /setup page to access the exposed root_path value rendered in the HTML response, which enables exploitation of path-dependent vulnerabilities such as relative path traversal in connector.php.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Affected products

thexerteproject · xerteonlinetoolkits

public PoCs found — 1

cve_referencegithub.com/bootstrapbool/xerteonlinetoolkits-rceunverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/bootstrapbool/xerteonlinetoolkits-rce https://github.com/thexerteproject/xerteonlinetoolkits/commit/f063e942b4a9bf77a06829e844c2c70316bc45e8 https://github.com/thexerteproject/xerteonlinetoolkits/issues/1527 https://www.vulncheck.com/advisories/xerte-online-toolkits-path-disclosure-via-setup https://xerte.org.uk/index.php/en/downloads-1/category/3-xerte-online-toolkits https://xerte.org.uk/xertetoolkits_3.15_ChangeLog.html