CVE-2026-41459
Received Received - Intake
Information Disclosure in Xerte Online Toolkits Allows Path Exposure

Publication date: 2026-04-22

Last updated on: 2026-04-24

Assigner: VulnCheck

Description
Xerte Online Toolkits versions 3.15 and earlier contain an information disclosure vulnerability that allows unauthenticated attackers to retrieve the full server-side filesystem path of the application root. Attackers can send a GET request to the /setup page to access the exposed root_path value rendered in the HTML response, which enables exploitation of path-dependent vulnerabilities such as relative path traversal in connector.php.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-22
Last Modified
2026-04-24
Generated
2026-06-16
AI Q&A
2026-04-23
EPSS Evaluated
2026-06-15
NVD
CVE-2026-41459
EUVD
EUVD-2026-25073
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
bootstrapbool xerte_online_toolkits to 3.15.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-497 The product does not properly prevent sensitive system-level information from being accessed by unauthorized actors who do not have the same level of access to the underlying system as the product does.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability in Xerte Online Toolkits allows unauthenticated attackers to retrieve the full server-side filesystem path of the application root, exposing sensitive system information.

Exposure of such sensitive information can increase the risk of further exploitation and data breaches, which may impact compliance with standards and regulations like GDPR and HIPAA that require protection of system and data confidentiality.

By revealing internal server paths, the vulnerability could facilitate attacks that compromise data integrity or confidentiality, potentially leading to violations of regulatory requirements for safeguarding personal or sensitive data.

Impact Analysis

This vulnerability can lead to information disclosure by revealing the full server-side filesystem path, which is sensitive information.

Knowing the exact filesystem path can help attackers craft more targeted attacks, such as exploiting path-dependent vulnerabilities like relative path traversal.

While the vulnerability does not directly allow data modification or denial of service, it increases the risk of further exploitation that could compromise system security.

Executive Summary

Xerte Online Toolkits versions 3.15 and earlier have an information disclosure vulnerability that allows unauthenticated attackers to obtain the full server-side filesystem path of the application root.

Attackers can exploit this by sending a GET request to the /setup page, which exposes the root_path value in the HTML response.

This exposure can then be used to facilitate further attacks, such as relative path traversal vulnerabilities in other parts of the application like connector.php.

Detection Guidance

This vulnerability can be detected by sending an unauthenticated GET request to the /setup page of the Xerte Online Toolkits application and checking the HTML response for the exposed root_path value.

A possible command to detect this vulnerability using curl is:

  • curl -s http://<target-host>/setup | grep root_path

If the root_path is present in the response, it indicates the vulnerability is present and the full server-side filesystem path is disclosed.

Mitigation Strategies

Immediate mitigation steps include restricting access to the /setup page to authorized users only or disabling the /setup page if it is not needed.

Additionally, updating Xerte Online Toolkits to a version later than 3.15 where this vulnerability is fixed is recommended.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41459. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart