Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2026-41459
PUBLISHED
More InfoOfficial Page
Assigner-VulnCheck
Assigner Org ID-83251b91-4cc7-4094-a5c7-464a1b83ea10
View Known Exploited Vulnerability (KEV) details
Published At-22 Apr, 2026 | 18:32
Updated At-24 Apr, 2026 | 19:31
Rejected At-
▼CVE Numbering Authority (CNA)
Xerte Online Toolkits Path Disclosure via /setup

Xerte Online Toolkits versions 3.15 and earlier contain an information disclosure vulnerability that allows unauthenticated attackers to retrieve the full server-side filesystem path of the application root. Attackers can send a GET request to the /setup page to access the exposed root_path value rendered in the HTML response, which enables exploitation of path-dependent vulnerabilities such as relative path traversal in connector.php.

Affected Products
Vendor
thexerteproject
Product
xerteonlinetoolkits
Repo
https://github.com/thexerteproject/xerteonlinetoolkits
Default Status
unaffected
Versions
Affected
  • 3.15.0 (semver)
  • From 0 before f063e942b4a9bf77a06829e844c2c70316bc45e8 (git)
Problem Types
TypeCWE IDDescription
CWECWE-497CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere
Type: CWE
CWE ID: CWE-497
Description: CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere
Metrics
VersionBase scoreBase severityVector
4.06.9MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
3.15.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Version: 4.0
Base score: 6.9
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
Version: 3.1
Base score: 5.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
finder
bootstrapbool
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/bootstrapbool/xerteonlinetoolkits-rce
technical-description
exploit
https://xerte.org.uk/xertetoolkits_3.15_ChangeLog.html
release-notes
https://xerte.org.uk/index.php/en/downloads-1/category/3-xerte-online-toolkits
product
permissions-required
https://github.com/thexerteproject/xerteonlinetoolkits/issues/1527
issue-tracking
https://github.com/thexerteproject/xerteonlinetoolkits/commit/f063e942b4a9bf77a06829e844c2c70316bc45e8
patch
https://www.vulncheck.com/advisories/xerte-online-toolkits-path-disclosure-via-setup
third-party-advisory
Hyperlink: https://github.com/bootstrapbool/xerteonlinetoolkits-rce
Resource:
technical-description
exploit
Hyperlink: https://xerte.org.uk/xertetoolkits_3.15_ChangeLog.html
Resource:
release-notes
Hyperlink: https://xerte.org.uk/index.php/en/downloads-1/category/3-xerte-online-toolkits
Resource:
product
permissions-required
Hyperlink: https://github.com/thexerteproject/xerteonlinetoolkits/issues/1527
Resource:
issue-tracking
Hyperlink: https://github.com/thexerteproject/xerteonlinetoolkits/commit/f063e942b4a9bf77a06829e844c2c70316bc45e8
Resource:
patch
Hyperlink: https://www.vulncheck.com/advisories/xerte-online-toolkits-path-disclosure-via-setup
Resource:
third-party-advisory
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Details not found