CVE-2026-32985

CriticalPublic PoC

Published: 20 March 2026

Published

20 March 2026

Modified

16 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0085 75.0th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Xerte Online Toolkits versions 3.14 and earlier contain an unauthenticated arbitrary file upload vulnerability in the template import functionality that allows remote attackers to execute arbitrary code by uploading a crafted ZIP archive containing malicious PHP payloads. Attackers can bypass…

authentication checks in the import.php file to upload a template archive with PHP code in the media directory, which gets extracted to a web-accessible path where the malicious PHP can be directly accessed and executed under the web server context.

Mitigating Controls (NIST 800-53 r5)AI

AC-14 Permitted Actions Without Identification or Authentication good match

prevent

Defines and restricts permitted actions without authentication, ensuring template import functionality requires identification to prevent unauthenticated arbitrary file uploads.

SI-10 Information Input Validation good match

prevent

Validates inputs to the template import endpoint, including ZIP archive contents, to block malicious PHP payloads and dangerous file types.

SI-3 Malicious Code Protection good match

preventdetect

Deploys malicious code protection at web application entry points to scan and eradicate uploaded PHP payloads before extraction to web-accessible paths.

Security SummaryAI

Xerte Online Toolkits versions 3.14 and earlier are affected by CVE-2026-32985, an unauthenticated arbitrary file upload vulnerability in the template import functionality. This flaw, tied to CWE-306 (Missing Authentication for Critical Function) and CWE-434 (Unrestricted Upload of File with Dangerous Type), exists in the import.php file, where attackers can bypass authentication checks to upload a crafted ZIP archive containing malicious PHP payloads. The archive extracts the PHP code to a web-accessible media directory, enabling direct access and execution under the web server context. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).

Remote attackers require no privileges or user interaction to exploit this issue over the network. By submitting a specially crafted ZIP file via the template import endpoint, they achieve arbitrary code execution on the server, potentially leading to full compromise including data theft, modification, or destruction under the web server's permissions.

Mitigation details and patches are referenced in advisories available at https://packetstorm.news/files/id/216288/ and the project site https://xot.xerte.org.uk/. Security practitioners should review these sources for upgrade instructions or workarounds to address the vulnerability.

Details

CWE(s): CWE-306 CWE-434

Affected Products

apereo

xerte online toolkits

≤ 3.14.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1505.003 Web Shell Persistence

Adversaries may backdoor web servers with web shells to establish persistent access to systems.

attack.mitre.org →

Why these techniques?

Unauthenticated arbitrary file upload in public-facing web application enables remote code execution via crafted PHP payloads acting as web shells (T1190: Exploit Public-Facing Application; T1100: Web Shell).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://packetstorm.news/files/id/216288/
Exploit, Issue Tracking, Third Party Advisory · disclosure@vulncheck.com
https://xot.xerte.org.uk/
Product · disclosure@vulncheck.com