Critical severity9.8NVD Advisory· Published Mar 20, 2026· Updated Apr 16, 2026

CVE-2026-32985

Description

Xerte Online Toolkits versions 3.14 and earlier contain an unauthenticated arbitrary file upload vulnerability in the template import functionality that allows remote attackers to execute arbitrary code by uploading a crafted ZIP archive containing malicious PHP payloads. Attackers can bypass authentication checks in the import.php file to upload a template archive with PHP code in the media directory, which gets extracted to a web-accessible path where the malicious PHP can be directly accessed and executed under the web server context.

Affected products

Apereo/Xerte Online Toolkits
cpe:2.3:a:apereo:xerte_online_toolkits:*:*:*:*:*:*:*:*
Range: <=3.14.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

packetstorm.news/files/id/216288/nvdExploitIssue TrackingThird Party Advisory
xot.xerte.org.uknvdProduct

News mentions

No linked articles in our index yet.

cvss	0.637
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000