CVE-2026-41459
MediumCVSS 5.3Exploitation Probability (EPSS)
Elevated risk52th percentile - higher than 52% of all known CVEs
Summary
Xerte Online Toolkits versions 3.15 and earlier contain an information disclosure vulnerability that allows unauthenticated attackers to retrieve the full server-side filesystem path of the application root. Attackers can send a GET request to the /setup page to access the exposed root_path value rendered in the HTML response.
Risk Assessment
Exposing the system path facilitates exploitation of path-dependent vulnerabilities such as relative path traversal in connector.php, potentially leading to unauthorized file access.
Recommendation
Immediately update Xerte Online Toolkits to a version later than 3.15 which fixes this vulnerability. Until then, restrict access to the /setup page using firewall rules or authentication.
Original NVD description (English source)
Xerte Online Toolkits versions 3.15 and earlier contain an information disclosure vulnerability that allows unauthenticated attackers to retrieve the full server-side filesystem path of the application root. Attackers can send a GET request to the /setup page to access the exposed root_path value rendered in the HTML response, which enables exploitation of path-dependent vulnerabilities such as relative path traversal in connector.php.

