{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32985", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-03-17T11:31:56.956Z", "datePublished": "2026-03-20T00:06:28.759Z", "dateUpdated": "2026-03-20T17:37:59.034Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-03-20T17:37:59.034Z"}, "title": "Xerte Online Toolkits <= 3.14 Unauthenticated Template Import Arbitrary File Upload Leading to Remote Code Execution", "datePublic": "2026-02-19T00:00:00.000Z", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-306", "description": "CWE-306 Missing Authentication for Critical Function", "type": "CWE"}]}, {"descriptions": [{"lang": "en", "cweId": "CWE-434", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type", "type": "CWE"}]}], "affected": [{"vendor": "Xerte", "product": "Xerte Online Toolkits", "versions": [{"status": "affected", "version": "0", "lessThanOrEqual": "3.14", "versionType": "custom"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "Xerte Online Toolkits versions 3.14 and earlier contain an unauthenticated arbitrary file upload vulnerability in the template import functionality that allows remote attackers to execute arbitrary code by uploading a crafted ZIP archive containing malicious PHP payloads. Attackers can bypass authentication checks in the import.php file to upload a template archive with PHP code in the media directory, which gets extracted to a web-accessible path where the malicious PHP can be directly accessed and executed under the web server context.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "<p>Xerte Online Toolkits versions 3.14 and earlier contain an unauthenticated arbitrary file upload vulnerability in the template import functionality that allows remote attackers to execute arbitrary code by uploading a crafted ZIP archive containing malicious PHP payloads. Attackers can bypass authentication checks in the import.php file to upload a template archive with PHP code in the media directory, which gets extracted to a web-accessible path where the malicious PHP can be directly accessed and executed under the web server context.<br></p>"}]}], "references": [{"url": "https://xot.xerte.org.uk/", "name": "Xerte Online Toolkits - Vendor Homepage", "tags": ["product"]}, {"url": "https://packetstorm.news/files/id/216288/", "name": "Packet Storm listing (Xerte Online Toolkits 3.14 Shell Upload)", "tags": ["exploit"]}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "CRITICAL", "baseScore": 9.3, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"}}, {"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH", "baseSeverity": "CRITICAL", "baseScore": 9.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}}], "credits": [{"lang": "en", "value": "indoushka", "type": "finder"}], "source": {"discovery": "UNKNOWN"}, "x_generator": {"engine": "vulncheck"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-20T14:18:57.386429Z", "id": "CVE-2026-32985", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T14:19:58.230Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32985", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-20T14:18:57.386429Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-20T14:19:48.314Z"}}], "cna": {"title": "Xerte Online Toolkits <= 3.14 Unauthenticated Template Import Arbitrary File Upload Leading to Remote Code Execution", "source": {"discovery": "UNKNOWN"}, "credits": [{"lang": "en", "type": "finder", "value": "indoushka"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 9.3, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}, {"format": "CVSS", "cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "Xerte", "product": "Xerte Online Toolkits", "versions": [{"status": "affected", "version": "0", "versionType": "custom", "lessThanOrEqual": "3.14"}], "defaultStatus": "unaffected"}], "datePublic": "2026-02-19T00:00:00.000Z", "references": [{"url": "https://xot.xerte.org.uk/", "name": "Xerte Online Toolkits - Vendor Homepage", "tags": ["product"]}, {"url": "https://packetstorm.news/files/id/216288/", "name": "Packet Storm listing (Xerte Online Toolkits 3.14 Shell Upload)", "tags": ["exploit"]}], "x_generator": {"engine": "vulncheck"}, "descriptions": [{"lang": "en", "value": "Xerte Online Toolkits versions 3.14 and earlier contain an unauthenticated arbitrary file upload vulnerability in the template import functionality that allows remote attackers to execute arbitrary code by uploading a crafted ZIP archive containing malicious PHP payloads. Attackers can bypass authentication checks in the import.php file to upload a template archive with PHP code in the media directory, which gets extracted to a web-accessible path where the malicious PHP can be directly accessed and executed under the web server context.", "supportingMedia": [{"type": "text/html", "value": "<p>Xerte Online Toolkits versions 3.14 and earlier contain an unauthenticated arbitrary file upload vulnerability in the template import functionality that allows remote attackers to execute arbitrary code by uploading a crafted ZIP archive containing malicious PHP payloads. Attackers can bypass authentication checks in the import.php file to upload a template archive with PHP code in the media directory, which gets extracted to a web-accessible path where the malicious PHP can be directly accessed and executed under the web server context.<br></p>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-306", "description": "CWE-306 Missing Authentication for Critical Function"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-434", "description": "CWE-434 Unrestricted Upload of File with Dangerous Type"}]}], "providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-03-20T17:37:59.034Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32985", "state": "PUBLISHED", "dateUpdated": "2026-03-20T17:37:59.034Z", "dateReserved": "2026-03-17T11:31:56.956Z", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "datePublished": "2026-03-20T00:06:28.759Z", "assignerShortName": "VulnCheck"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Xerte Online Toolkits versions 3.14 and earlier contain an unauthenticated arbitrary file upload vulnerability in the template import functionality that allows remote attackers to execute arbitrary code by uploading a crafted ZIP archive containing malicious PHP payloads. Attackers can bypass authentication checks in the import.php file to upload a template archive with PHP code in the media directory, which gets extracted to a web-accessible path where the malicious PHP can be directly accessed and executed under the web server context."}, {"lang": "es", "value": "Las versiones 3.14 y anteriores de Xerte Online Toolkits contienen una vulnerabilidad de carga arbitraria de archivos no autenticada en la funcionalidad de importaci\u00f3n de plantillas. El problema existe en /website_code/php/import/import.php donde la falta de comprobaciones de autenticaci\u00f3n permiten a un atacante cargar un archivo ZIP manipulado disfrazado como una plantilla de proyecto. El archivo puede contener una carga \u00fatil PHP maliciosa colocada en el directorio media/, que se extrae en una ruta USER-FILES/{projectID}--{targetFolder}/ accesible desde la web. Un atacante puede entonces acceder directamente al archivo PHP cargado para lograr la ejecuci\u00f3n remota de c\u00f3digo bajo el contexto del servidor web."}], "id": "CVE-2026-32985", "lastModified": "2026-03-20T18:16:16.477", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "disclosure@vulncheck.com", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-03-20T00:16:18.260", "references": [{"source": "disclosure@vulncheck.com", "url": "https://packetstorm.news/files/id/216288/"}, {"source": "disclosure@vulncheck.com", "url": "https://xot.xerte.org.uk/"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-306"}, {"lang": "en", "value": "CWE-434"}], "source": "disclosure@vulncheck.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,3.14]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "product": "xerte_online_toolkits", "vendor": "xerte"}], "analysis": {"en": {"generated_at": "2026-03-20T01:50:34.959230+00:00", "value": {"mitigation_remediation": ["Apply the latest Xerte Online Toolkit patch (v3.15 or newer) to eliminate the unauthenticated upload flaw.", "If a patch is not yet available, disable or remove access to the template import URL /website_code/php/import/import.php, or restrict it to authenticated administrators only.", "Monitor the USER-FILES directories for unauthorized PHP files and restrict execution permissions on uploaded content.", "Check Xerte\u2019s official site or support channels for updates and additional security advisories."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "The vulnerability affects Xerte Online Toolkits from vendor Xerte, specifically all releases up to and including version 3.14. No explicit sub-version list is provided, so all builds in that release series are considered potentially vulnerable.", "description_and_impact": "Xerte Online Toolkits version 3.14 and older are affected by an unauthenticated arbitrary file upload vulnerability in the template import functionality. The flaw resides in /website_code/php/import/import.php where authentication checks are missing, allowing an attacker to upload a crafted ZIP archive disguised as a project template. Inside the ZIP, a malicious PHP file can be placed in the media/ directory; upon import, the archive is extracted to a web-accessible USER-FILES/{projectID}--{targetFolder} path. The attacker can then directly access the uploaded PHP file and execute arbitrary code under the web server's context, compromising confidentiality, integrity, and availability of the affected system. The weakness maps to CWE-306 (Missing Authentication) and CWE-434 (Untrusted File Upload).", "risk_and_exploitability": "The CVSS score of 9.3 indicates a high severity vulnerability with a wide impact surface. Though EPSS data is unavailable, the lack of authentication and the ability to upload executable code suggests a high likelihood of exploitation. The vulnerability is not currently listed in the CISA KEV catalog. Attackers can exploit it remotely via the web interface by submitting a malicious template ZIP file. Once uploaded, the attacker can immediately run arbitrary PHP code from the web-accessible directory. The risk is therefore significant for any environment running the affected version without mitigation."}}}}, "created": "2026-03-20T08:54:12.469734+00:00", "updated": "2026-03-20T10:43:39.614783+00:00", "vendors": ["xerte", "xerte$PRODUCT$xerte_online_toolkits"]}