CVE-2026-32985

Xerte Online Toolkits <= 3.14 Unauthenticated Template Import Arbitrary File Upload Leading to Remote Code Execution

CVSS 9.3 CRITICALEPSS 1.5%CWE-306 CWE-434

Vexday Risk Score

63High priority

SSVC decision (CISA)

Attend

PoC available → attend closely

CVSS 9.3EPSS 1.5%KEV nãoPoC públicaNuclei —Metasploit simPatch —

Lifecycle

04 Aug 2025Metasploit module available

20 Mar 2026Published on NVD

Recommendation: Plan a near-term fix — a public PoC already exists.

Xerte Online Toolkits versions 3.14 and earlier contain an unauthenticated arbitrary file upload vulnerability in the template import functionality that allows remote attackers to execute arbitrary code by uploading a crafted ZIP archive containing malicious PHP payloads. Attackers can bypass authentication checks in the import.php file to upload a template archive with PHP code in the media directory, which gets extracted to a web-accessible path where the malicious PHP can be directly accessed and executed under the web server context.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected products

Xerte · Xerte Online Toolkits

public PoCs found — 1

cve_referencepacketstorm.news/files/id/216288/unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://packetstorm.news/files/id/216288/https://xot.xerte.org.uk/