CVE-2026-41459

Name of the Vulnerable Software and Affected Versions Xerte Online Toolkits versions 3.15 and earlier

Description An information disclosure issue allows unauthenticated attackers to retrieve the full server-side filesystem path of the application root. By sending a GET request to the '/setup' page, attackers can access the exposed root path value rendered in the HTML response. This information can be used to exploit path-dependent issues, such as relative path traversal in 'connector.php'.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.