Vulnerabilities ›

CVE-2026-41459

Medium

CWE-497 — Weakness Type

                    Published: Apr 22, 2026                      ·  Modified: Apr 24, 2026                      ·  Source: NVD                

CVSS v3

5.3

🔗 NVD Official

📄 Description (English)

Xerte Online Toolkits versions 3.15 and earlier contain an information disclosure vulnerability that allows unauthenticated attackers to retrieve the full server-side filesystem path of the application root. Attackers can send a GET request to the /setup page to access the exposed root_path value rendered in the HTML response, which enables exploitation of path-dependent vulnerabilities such as relative path traversal in connector.php.

🤖 AI Executive Summary

Xerte Online Toolkits versions 3.15 and earlier expose the server filesystem path through an unauthenticated GET request to the /setup page, enabling attackers to exploit path-dependent vulnerabilities. This information disclosure vulnerability allows attackers to craft targeted attacks such as relative path traversal exploits against connector.php.

📄 Description (Arabic)

يحتوي Xerte Online Toolkits الإصدار 3.15 وما قبله على ثغرة كشف معلومات تسمح للمهاجمين غير المصرح لهم باسترجاع مسار نظام الملفات الكامل لجذر التطبيق. يمكن للمهاجمين إرسال طلب GET إلى صفحة /setup للوصول إلى قيمة root_path المكشوفة في استجابة HTML. هذا يمكّن استغلال الثغرات المعتمدة على المسار مثل اجتياز المسار النسبي في connector.php.

🤖 ملخص تنفيذي (AI)

🤖 AI Intelligence Analysis Analyzed: May 29, 2026 03:37

🇸🇦 Saudi Arabia Impact Assessment

Saudi Relevance: high

🏢 Affected Saudi Sectors

government healthcare education

🎯 MITRE ATT&CK Techniques

T1526 T1592 T1087

⚖️ Saudi Risk Score (AI)

5.0

/ 10.0

🔧 Remediation Steps (English)

Upgrade Xerte Online Toolkits to version 3.16 or later immediately. Restrict access to the /setup page using web server configuration or authentication mechanisms. Implement network-level access controls to limit exposure of administrative interfaces. Review server logs for unauthorized access attempts to the /setup endpoint.

🔧 خطوات المعالجة (العربية)

قم بترقية Xerte Online Toolkits إلى الإصدار 3.16 أو أحدث فوراً. قيد الوصول إلى صفحة /setup باستخدام إعدادات خادم الويب أو آليات المصادقة. طبق عناصر تحكم في الوصول على مستوى الشبكة لتحديد التعرض للواجهات الإدارية. راجع سجلات الخادم للتحقق من محاولات الوصول غير المصرح به إلى نقطة نهاية /setup.

📋 Regulatory Compliance Mapping

🟢 NCA ECC 2024

A.5.1.1 A.5.2.1 A.5.2.2

🔵 SAMA CSF

ID.RA-1 PR.AC-1 PR.AC-3

🟡 ISO 27001:2022

A.5.1.1 A.5.2.1 A.5.2.2 A.6.1.1

🔗 References & Sources 5

🔗

https://github.com/thexerteproject/xerteonlinetoolkits/commit/f063e942b4a9bf77a06829e84...

disclosure@vulncheck.com

🔗

https://github.com/thexerteproject/xerteonlinetoolkits/issues/1527

disclosure@vulncheck.com

🔗

https://www.vulncheck.com/advisories/xerte-online-toolkits-path-disclosure-via-setup

disclosure@vulncheck.com

🔗

https://xerte.org.uk/index.php/en/downloads-1/category/3-xerte-online-toolkits

disclosure@vulncheck.com

🔗

https://xerte.org.uk/xertetoolkits_3.15_ChangeLog.html

disclosure@vulncheck.com

📊 CVSS Score

5.3

/ 10.0 — Medium

📊 CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Attack VectorN — None / Network

Attack ComplexityL — Low / Local

Privileges RequiredN — None / Network

User InteractionN — None / Network

ScopeU — Unchanged

ConfidentialityL — Low / Local

IntegrityN — None / Network

AvailabilityN — None / Network

📋 Quick Facts

Severity Medium

CVSS Score5.3

CWECWE-497

EPSS0.04%

Exploit No

Patch ✗ No

Published 2026-04-22

Source Feed nvd

🇸🇦 Saudi Risk Score

5.0

/ 10.0 — Saudi Risk

Priority: MEDIUM

🏷️ Tags

CWE-497

⚡ Actions

🔗 NVD Official Page ⚡ Exploit-DB Search 🐙 GitHub PoC Search 🎯 MITRE ATT&CK 📊 CVE Details

CVE-2026-41459

Introduce Yourself

Sign In Required