Critical severity9.8NVD Advisory· Published Mar 20, 2026· Updated Apr 16, 2026
CVE-2026-32985
CVE-2026-32985
Description
Xerte Online Toolkits versions 3.14 and earlier contain an unauthenticated arbitrary file upload vulnerability in the template import functionality that allows remote attackers to execute arbitrary code by uploading a crafted ZIP archive containing malicious PHP payloads. Attackers can bypass authentication checks in the import.php file to upload a template archive with PHP code in the media directory, which gets extracted to a web-accessible path where the malicious PHP can be directly accessed and executed under the web server context.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
2- Range: <=3.14
Patches
Vulnerability mechanics
References
2- packetstorm.news/files/id/216288/nvdExploitIssue TrackingThird Party Advisory
- xot.xerte.org.uknvdProduct
News mentions
1- Weekly Metasploit Update: Apache ActiveMQ RCE, Gogs Rebase RCE, and Windows Kernel Pointer EnumRapid7 Blog · Jun 5, 2026