Description
Xerte Online Toolkits versions 3.15 and earlier contain an information disclosure vulnerability that allows unauthenticated attackers to retrieve the full server-side filesystem path of the application root. Attackers can send a GET request to the /setup page to access the exposed root_path value rendered in the HTML response, which enables exploitation of path-dependent vulnerabilities such as relative path traversal in connector.php.
Published: 2026-04-22
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Apply Patch
AI Analysis

Impact

The flaw allows an attacker to obtain the full filesystem path to the application root without authentication by sending a GET request to the /setup page. The root_path value is rendered into the page’s HTML, revealing the directory structure and enabling further exploitation of path-dependent weaknesses such as relative path traversal in connector.php.

Affected Systems

Xerte Online Toolkits versions 3.15 and earlier, developed by thexerteproject. The vulnerability affects all installations using these releases; newer versions are not impacted.

Risk and Exploitability

With a CVSS score of 6.9, the risk is moderate, and the EPSS score is not available, suggesting there is some uncertainty about how often the flaw is exploited in the wild. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit it unauthenticated via a browser or automated tool, exposing the system path and potentially facilitating additional attacks such as directory traversal. The primary security consequence is the disclosure of internal directory structure, which can aid attackers in planning further exploits.

Generated by OpenCVE AI on April 27, 2026 at 08:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Xerte Online Toolkits to a version newer than 3.15 that removes the root_path exposure.
  • If upgrade is not immediately possible, configure the web server to block or redirect requests to /setup to prevent disclosure.
  • Edit the /setup template or the associated code to eliminate the rendering of the root_path variable from the response.

Generated by OpenCVE AI on April 27, 2026 at 08:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 27 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Thexerteproject
Thexerteproject xerteonlinetoolkits
Vendors & Products Thexerteproject
Thexerteproject xerteonlinetoolkits

Fri, 24 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
References

Thu, 23 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 19:00:00 +0000

Type Values Removed Values Added
Description Xerte Online Toolkits versions 3.15 and earlier contain an information disclosure vulnerability that allows unauthenticated attackers to retrieve the full server-side filesystem path of the application root. Attackers can send a GET request to the /setup page to access the exposed root_path value rendered in the HTML response, which enables exploitation of path-dependent vulnerabilities such as relative path traversal in connector.php.
Title Xerte Online Toolkits Path Disclosure via /setup
Weaknesses CWE-497
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Thexerteproject Xerteonlinetoolkits
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-25T23:42:17.312Z

Reserved: 2026-04-20T16:07:47.310Z

Link: CVE-2026-41459

cve-icon Vulnrichment

Updated: 2026-04-23T14:13:22.129Z

cve-icon NVD

Status : Deferred

Published: 2026-04-22T19:17:08.643

Modified: 2026-04-24T20:16:27.950

Link: CVE-2026-41459

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-27T19:53:18Z

Weaknesses