Xerte Online Toolkits versions 3.15 and earlier contain...
Moderate severity
Unreviewed
Published
Apr 22, 2026
to the GitHub Advisory Database
•
Updated Apr 24, 2026
Description
Published by the National Vulnerability Database
Apr 22, 2026
Published to the GitHub Advisory Database
Apr 22, 2026
Last updated
Apr 24, 2026
Xerte Online Toolkits versions 3.15 and earlier contain an information disclosure vulnerability that allows unauthenticated attackers to retrieve the full server-side filesystem path of the application root. Attackers can send a GET request to the /setup page to access the exposed root_path value rendered in the HTML response, which enables exploitation of path-dependent vulnerabilities such as relative path traversal in connector.php.
References