index.php in Tilde CMS 4.x and earlier allows remote attackers to obtain sensitive information via a certain search parameter value in a search action, which reveals the path.