216.73.217.50

CVE-2026-41459

· Published 22/04/2026 19:17 · Modified 22/04/2026 21:18

Labels: CVE-2026-41459 2026-04-22CVE-2026-41459CWE-497[email protected]

Essential information

Published
22/04/2026 19:17
Modified
22/04/2026 21:18
Author
Creator
CVSS
6.9 MEDIUM (v3) 6.9 MEDIUM (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

Xerte Online Toolkits versions 3.15 and earlier contain an information disclosure vulnerability that allows unauthenticated attackers to retrieve the full server-side filesystem path of the application root. Attackers can send a GET request to the /setup page to access the exposed root_path value rendered in the HTML response, which enables exploitation of path-dependent vulnerabilities such as relative path traversal in connector.php.

NVD status

Status
Deferred — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
xerte / xerte online toolkits cpe:2.3:a:xerte:xerte_online_toolkits:3.15:*:*:*:*:*:*:*
xerte / xerte online toolkits cpe:2.3:a:xerte:xerte_online_toolkits:*:*:*:*:*:*:*:*

References