{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-41459", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-04-20T16:07:47.310Z", "datePublished": "2026-04-22T18:32:26.272Z", "dateUpdated": "2026-04-24T19:31:14.259Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-04-24T19:31:14.259Z"}, "title": "Xerte Online Toolkits Path Disclosure via /setup", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-497", "description": "CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere", "type": "CWE"}]}], "affected": [{"vendor": "thexerteproject", "product": "xerteonlinetoolkits", "repo": "https://github.com/thexerteproject/xerteonlinetoolkits", "versions": [{"status": "affected", "version": "3.15.0", "versionType": "semver"}, {"status": "affected", "version": "0", "lessThan": "f063e942b4a9bf77a06829e844c2c70316bc45e8", "versionType": "git"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Xerte Online Toolkits versions 3.15 and earlier contain an information disclosure vulnerability that allows unauthenticated attackers to retrieve the full server-side filesystem path of the application root. Attackers can send a GET request to the /setup page to access the exposed root_path value rendered in the HTML response, which enables exploitation of path-dependent vulnerabilities such as relative path traversal in connector.php.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Xerte Online Toolkits versions 3.15 and earlier contain an information disclosure vulnerability that allows unauthenticated attackers to retrieve the full server-side filesystem path of the application root. Attackers can send a GET request to the /setup page to access the exposed root_path value rendered in the HTML response, which enables exploitation of path-dependent vulnerabilities such as relative path traversal in connector.php.<br>"}]}], "references": [{"url": "https://github.com/bootstrapbool/xerteonlinetoolkits-rce", "tags": ["technical-description", "exploit"]}, {"url": "https://xerte.org.uk/xertetoolkits_3.15_ChangeLog.html", "tags": ["release-notes"]}, {"url": "https://xerte.org.uk/index.php/en/downloads-1/category/3-xerte-online-toolkits", "tags": ["product", "permissions-required"]}, {"url": "https://github.com/thexerteproject/xerteonlinetoolkits/issues/1527", "tags": ["issue-tracking"]}, {"url": "https://github.com/thexerteproject/xerteonlinetoolkits/commit/f063e942b4a9bf77a06829e844c2c70316bc45e8", "tags": ["patch"]}, {"url": "https://www.vulncheck.com/advisories/xerte-online-toolkits-path-disclosure-via-setup", "tags": ["third-party-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 6.9, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"}}, {"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseSeverity": "MEDIUM", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}}], "credits": [{"lang": "en", "value": "bootstrapbool", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-23T14:13:11.664023Z", "id": "CVE-2026-41459", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-23T14:13:26.167Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-41459", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-04-20T16:07:47.310Z", "datePublished": "2026-04-22T18:32:26.272Z", "dateUpdated": "2026-04-23T14:13:26.167Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-04-22T18:34:33.485Z"}, "title": "Xerte Online Toolkits Path Disclosure via /setup", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-497", "description": "CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere", "type": "CWE"}]}], "affected": [{"vendor": "thexerteproject", "product": "xerteonlinetoolkits", "repo": "https://github.com/thexerteproject/xerteonlinetoolkits", "versions": [{"status": "affected", "version": "3.15.0", "versionType": "semver"}, {"status": "affected", "version": "0", "lessThan": "f063e942b4a9bf77a06829e844c2c70316bc45e8", "versionType": "git"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Xerte Online Toolkits versions 3.15 and earlier contain an information disclosure vulnerability that allows unauthenticated attackers to retrieve the full server-side filesystem path of the application root. Attackers can send a GET request to the /setup page to access the exposed root_path value rendered in the HTML response, which enables exploitation of path-dependent vulnerabilities such as relative path traversal in connector.php.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "Xerte Online Toolkits versions 3.15 and earlier contain an information disclosure vulnerability that allows unauthenticated attackers to retrieve the full server-side filesystem path of the application root. Attackers can send a GET request to the /setup page to access the exposed root_path value rendered in the HTML response, which enables exploitation of path-dependent vulnerabilities such as relative path traversal in connector.php.<br>"}]}], "references": [{"url": "https://xerte.org.uk/xertetoolkits_3.15_ChangeLog.html", "tags": ["release-notes"]}, {"url": "https://xerte.org.uk/index.php/en/downloads-1/category/3-xerte-online-toolkits", "tags": ["product", "permissions-required"]}, {"url": "https://github.com/thexerteproject/xerteonlinetoolkits/issues/1527", "tags": ["issue-tracking"]}, {"url": "https://github.com/thexerteproject/xerteonlinetoolkits/commit/f063e942b4a9bf77a06829e844c2c70316bc45e8", "tags": ["patch"]}, {"url": "https://www.vulncheck.com/advisories/xerte-online-toolkits-path-disclosure-via-setup", "tags": ["third-party-advisory"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "MEDIUM", "baseScore": 6.9, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"}}, {"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseSeverity": "MEDIUM", "baseScore": 5.3, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}}], "credits": [{"lang": "en", "value": "bootstrapbool", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-41459", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-23T14:13:11.664023Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-23T14:13:22.129Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Xerte Online Toolkits versions 3.15 and earlier contain an information disclosure vulnerability that allows unauthenticated attackers to retrieve the full server-side filesystem path of the application root. Attackers can send a GET request to the /setup page to access the exposed root_path value rendered in the HTML response, which enables exploitation of path-dependent vulnerabilities such as relative path traversal in connector.php."}], "id": "CVE-2026-41459", "lastModified": "2026-04-24T20:16:27.950", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "disclosure@vulncheck.com", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 6.9, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-04-22T19:17:08.643", "references": [{"source": "disclosure@vulncheck.com", "url": "https://github.com/bootstrapbool/xerteonlinetoolkits-rce"}, {"source": "disclosure@vulncheck.com", "url": "https://github.com/thexerteproject/xerteonlinetoolkits/commit/f063e942b4a9bf77a06829e844c2c70316bc45e8"}, {"source": "disclosure@vulncheck.com", "url": "https://github.com/thexerteproject/xerteonlinetoolkits/issues/1527"}, {"source": "disclosure@vulncheck.com", "url": "https://www.vulncheck.com/advisories/xerte-online-toolkits-path-disclosure-via-setup"}, {"source": "disclosure@vulncheck.com", "url": "https://xerte.org.uk/index.php/en/downloads-1/category/3-xerte-online-toolkits"}, {"source": "disclosure@vulncheck.com", "url": "https://xerte.org.uk/xertetoolkits_3.15_ChangeLog.html"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-497"}], "source": "disclosure@vulncheck.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "3.15.0"}}, {"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,f063e942b4a9bf77a06829e844c2c70316bc45e8)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "xerteonlinetoolkits", "source": "cna", "vendor": "thexerteproject"}, "product": "xerteonlinetoolkits", "vendor": "thexerteproject"}], "analysis": {"en": {"generated_at": "2026-04-27T08:32:04.356655+00:00", "value": {"mitigation_remediation": ["Upgrade Xerte Online Toolkits to a version newer than 3.15 that removes the root_path exposure. ", "If upgrade is not immediately possible, configure the web server to block or redirect requests to /setup to prevent disclosure. ", "Edit the /setup template or the associated code to eliminate the rendering of the root_path variable from the response."], "summary": {"action": "Apply Patch", "impact": "Information Disclosure"}, "threat_synthesis": {"affected_systems": "Xerte Online Toolkits versions 3.15 and earlier, developed by thexerteproject. The vulnerability affects all installations using these releases; newer versions are not impacted.", "description_and_impact": "The flaw allows an attacker to obtain the full filesystem path to the application root without authentication by sending a GET request to the /setup page. The root_path value is rendered into the page\u2019s HTML, revealing the directory structure and enabling further exploitation of path-dependent weaknesses such as relative path traversal in connector.php.", "risk_and_exploitability": "With a CVSS score of 6.9, the risk is moderate, and the EPSS score is not available, suggesting there is some uncertainty about how often the flaw is exploited in the wild. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit it unauthenticated via a browser or automated tool, exposing the system path and potentially facilitating additional attacks such as directory traversal. The primary security consequence is the disclosure of internal directory structure, which can aid attackers in planning further exploits."}}}}, "created": "2026-04-27T18:42:00.089398+00:00", "updated": "2026-04-27T19:53:18.155999+00:00", "vendors": ["thexerteproject", "thexerteproject$PRODUCT$xerteonlinetoolkits"]}