CVE-2026-41459
Information Disclosure in Xerte Online Toolkits Allows Path Exposure
Publication date: 2026-04-22
Last updated on: 2026-04-24
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| bootstrapbool | xerte_online_toolkits | to 3.15.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-497 | The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Xerte Online Toolkits allows unauthenticated attackers to retrieve the full server-side filesystem path of the application root, exposing sensitive system information.
Exposure of such sensitive information can increase the risk of further exploitation and data breaches, which may impact compliance with standards and regulations like GDPR and HIPAA that require protection of system and data confidentiality.
By revealing internal server paths, the vulnerability could facilitate attacks that compromise data integrity or confidentiality, potentially leading to violations of regulatory requirements for safeguarding personal or sensitive data.
How can this vulnerability impact me? :
This vulnerability can lead to information disclosure by revealing the full server-side filesystem path, which is sensitive information.
Knowing the exact filesystem path can help attackers craft more targeted attacks, such as exploiting path-dependent vulnerabilities like relative path traversal.
While the vulnerability does not directly allow data modification or denial of service, it increases the risk of further exploitation that could compromise system security.
Can you explain this vulnerability to me?
Xerte Online Toolkits versions 3.15 and earlier have an information disclosure vulnerability that allows unauthenticated attackers to obtain the full server-side filesystem path of the application root.
Attackers can exploit this by sending a GET request to the /setup page, which exposes the root_path value in the HTML response.
This exposure can then be used to facilitate further attacks, such as relative path traversal vulnerabilities in other parts of the application like connector.php.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by sending an unauthenticated GET request to the /setup page of the Xerte Online Toolkits application and checking the HTML response for the exposed root_path value.
A possible command to detect this vulnerability using curl is:
- curl -s http://<target-host>/setup | grep root_path
If the root_path is present in the response, it indicates the vulnerability is present and the full server-side filesystem path is disclosed.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the /setup page to authorized users only or disabling the /setup page if it is not needed.
Additionally, updating Xerte Online Toolkits to a version later than 3.15 where this vulnerability is fixed is recommended.