CVE-2026-32985CRITICAL 9.8EPSS p70.5%

CVE-2026-32985CVE-2026-32985

Description

Xerte Online Toolkits versions 3.14 and earlier contain an unauthenticated arbitrary file upload vulnerability in the template import functionality that allows remote attackers to execute arbitrary code by uploading a crafted ZIP archive containing malicious PHP payloads. Attackers can bypass authentication checks in the import.php file to upload a template archive with PHP code in the media directory, which gets extracted to a web-accessible path where the malicious PHP can be directly accessed and executed under the web server context.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS1.48% probability of exploitation · percentile 70.5% · 2026-06-19T12:03:05Z
Published2026-03-20
Last modified2026-04-16

Underlying weaknesses· 2

CWE-306CWE-434

References

  1. https://packetstorm.news/files/id/216288/
  2. https://xot.xerte.org.uk/

2

TypeTargetConfidenceTier
WeaknessMissing Authentication for Critical Functioncwe-3060%live
WeaknessUnrestricted Upload of File with Dangerous Typecwe-4340%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-34415
CVE
CVE-2026-34413
CVE
CVE-2026-38429
CVE
CVE-2025-25790
CVE
CVE-2025-25784
CVE
CVE-2025-6207
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.