Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.3
Xerte Online Toolkits versions 3.14 and earlier allow unauthorized file upload
CVE-2026-32985
Summary
A security issue in older versions of Xerte Online Toolkits lets attackers upload files without permission. This could allow an attacker to add malicious code to your website, which could be used to take control of the server. Update to the latest version of Xerte Online Toolkits to fix this issue.
Original title
Xerte Online Toolkits versions 3.14 and earlier contain an unauthenticated arbitrary file upload vulnerability in the template import functionality. The issue exists in /website_code/php/import/imp...
Original description
Xerte Online Toolkits versions 3.14 and earlier contain an unauthenticated arbitrary file upload vulnerability in the template import functionality. The issue exists in /website_code/php/import/import.php where missing authentication checks allow an attacker to upload a crafted ZIP archive disguised as a project template. The archive can contain a malicious PHP payload placed in the media/ directory, which is extracted into a web-accessible USER-FILES/{projectID}--{targetFolder}/ path. An attacker can then directly access the uploaded PHP file to achieve remote code execution under the web server context.
nvd CVSS3.1
9.8
nvd CVSS4.0
9.3
Vulnerability type
CWE-306
Missing Authentication for Critical Function
CWE-434
Unrestricted File Upload
Published: 20 Mar 2026 · Updated: 20 Mar 2026 · First seen: 20 Mar 2026