CVE-2026-41459: CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere in thexerteproject xerteonlinetoolkits
Xerte Online Toolkits versions 3.15 and earlier contain an information disclosure vulnerability that allows unauthenticated attackers to retrieve the full server-side filesystem path of the application root. Attackers can send a GET request to the /setup page to access the exposed root_path value rendered in the HTML response, which enables exploitation of path-dependent vulnerabilities such as relative path traversal in connector.php.
AI Analysis
Technical Summary
CVE-2026-41459 is an information disclosure vulnerability in thexerteproject's xerteonlinetoolkits (version 3.15 and earlier) where unauthenticated attackers can retrieve the full server-side filesystem path of the application root. This is achieved by sending a GET request to the /setup page, which returns the root_path value in the HTML response. Disclosure of this sensitive system information can aid attackers in exploiting other path-dependent vulnerabilities such as relative path traversal in connector.php. The vulnerability is classified under CWE-497 (Exposure of Sensitive System Information to an Unauthorized Control Sphere).
Potential Impact
The vulnerability allows unauthenticated attackers to obtain sensitive system information (the full server-side filesystem path of the application root). This information disclosure can facilitate further attacks, including exploitation of relative path traversal vulnerabilities. However, there is no direct evidence of remote code execution or data modification solely from this vulnerability. The CVSS 4.0 score of 6.9 reflects a medium severity impact due to the information disclosure and potential for subsequent exploitation.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict access to the /setup page to trusted users or internal networks if possible. Monitor for updates from thexerteproject regarding patches or official mitigations. Avoid exposing the application to untrusted networks without additional access controls.
CVE-2026-41459: CWE-497 Exposure of Sensitive System Information to an Unauthorized Control Sphere in thexerteproject xerteonlinetoolkits
Description
Xerte Online Toolkits versions 3.15 and earlier contain an information disclosure vulnerability that allows unauthenticated attackers to retrieve the full server-side filesystem path of the application root. Attackers can send a GET request to the /setup page to access the exposed root_path value rendered in the HTML response, which enables exploitation of path-dependent vulnerabilities such as relative path traversal in connector.php.
CVSS v4.0
Score 6.9medium
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-41459 is an information disclosure vulnerability in thexerteproject's xerteonlinetoolkits (version 3.15 and earlier) where unauthenticated attackers can retrieve the full server-side filesystem path of the application root. This is achieved by sending a GET request to the /setup page, which returns the root_path value in the HTML response. Disclosure of this sensitive system information can aid attackers in exploiting other path-dependent vulnerabilities such as relative path traversal in connector.php. The vulnerability is classified under CWE-497 (Exposure of Sensitive System Information to an Unauthorized Control Sphere).
Potential Impact
The vulnerability allows unauthenticated attackers to obtain sensitive system information (the full server-side filesystem path of the application root). This information disclosure can facilitate further attacks, including exploitation of relative path traversal vulnerabilities. However, there is no direct evidence of remote code execution or data modification solely from this vulnerability. The CVSS 4.0 score of 6.9 reflects a medium severity impact due to the information disclosure and potential for subsequent exploitation.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is released, restrict access to the /setup page to trusted users or internal networks if possible. Monitor for updates from thexerteproject regarding patches or official mitigations. Avoid exposing the application to untrusted networks without additional access controls.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- VulnCheck
- Date Reserved
- 2026-04-20T16:07:47.310Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69e91af419fe3cd2cde2a8c7
Added to database: 4/22/2026, 7:01:08 PM
Last enriched: 5/26/2026, 8:26:09 PM
Last updated: 6/6/2026, 2:11:15 AM
Views: 59
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.