CVE-2026-32985

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2026-32985
Xerte Online Toolkits versions 3.14 and earlier contain an unauthenticated arbitrary file upload vulnerability in the template import functionality that allows remote attackers to execute arbitrary code by uploading a crafted ZIP archive containing malicious PHP payloads. Attackers can bypass authentication checks in the import.php file to upload a template archive with PHP code in the media directory, which gets extracted to a web-accessible path where the malicious PHP can be directly accessed and executed under the web server context.

9.8 /10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References
Link Resource
https://packetstorm.news/files/id/216288/ Exploit Issue Tracking Third Party Advisory
https://xot.xerte.org.uk/ Product
Configurations

Configuration 1 (hide)

cpe:2.3:a:apereo:xerte_online_toolkits:*:*:*:*:*:*:*:*
History

16 Apr 2026, 13:42

Type Values Removed Values Added
CPE cpe:2.3:a:apereo:xerte_online_toolkits:*:*:*:*:*:*:*:*
References () https://packetstorm.news/files/id/216288/ - () https://packetstorm.news/files/id/216288/ - Exploit, Issue Tracking, Third Party Advisory
References () https://xot.xerte.org.uk/ - () https://xot.xerte.org.uk/ - Product
First Time Apereo
Apereo xerte Online Toolkits

20 Mar 2026, 18:16

Type Values Removed Values Added
Summary
  • (es) Las versiones 3.14 y anteriores de Xerte Online Toolkits contienen una vulnerabilidad de carga arbitraria de archivos no autenticada en la funcionalidad de importación de plantillas. El problema existe en /website_code/php/import/import.php donde la falta de comprobaciones de autenticación permiten a un atacante cargar un archivo ZIP manipulado disfrazado como una plantilla de proyecto. El archivo puede contener una carga útil PHP maliciosa colocada en el directorio media/, que se extrae en una ruta USER-FILES/{projectID}--{targetFolder}/ accesible desde la web. Un atacante puede entonces acceder directamente al archivo PHP cargado para lograr la ejecución remota de código bajo el contexto del servidor web.
Summary (en) Xerte Online Toolkits versions 3.14 and earlier contain an unauthenticated arbitrary file upload vulnerability in the template import functionality. The issue exists in /website_code/php/import/import.php where missing authentication checks allow an attacker to upload a crafted ZIP archive disguised as a project template. The archive can contain a malicious PHP payload placed in the media/ directory, which is extracted into a web-accessible USER-FILES/{projectID}--{targetFolder}/ path. An attacker can then directly access the uploaded PHP file to achieve remote code execution under the web server context. (en) Xerte Online Toolkits versions 3.14 and earlier contain an unauthenticated arbitrary file upload vulnerability in the template import functionality that allows remote attackers to execute arbitrary code by uploading a crafted ZIP archive containing malicious PHP payloads. Attackers can bypass authentication checks in the import.php file to upload a template archive with PHP code in the media directory, which gets extracted to a web-accessible path where the malicious PHP can be directly accessed and executed under the web server context.

20 Mar 2026, 00:16

Type Values Removed Values Added
New CVE
Information

Published : 2026-03-20 00:16

Updated : 2026-04-16 13:42

NVD link : CVE-2026-32985

Mitre link : CVE-2026-32985

CVE.ORG link : CVE-2026-32985

JSON object : View

Products Affected

apereo

  • xerte_online_toolkits
CWE
CWE-306

Missing Authentication for Critical Function

CWE-434

Unrestricted Upload of File with Dangerous Type