Description
Xerte Online Toolkits versions 3.14 and earlier contain an unauthenticated arbitrary file upload vulnerability in the template import functionality that allows remote attackers to execute arbitrary code by uploading a crafted ZIP archive containing malicious PHP payloads. Attackers can bypass authentication checks in the import.php file to upload a template archive with PHP code in the media directory, which gets extracted to a web-accessible path where the malicious PHP can be directly accessed and executed under the web server context.
Published: 2026-03-20
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

A flaw in Xerte Online Toolkits allows an attacker to upload a ZIP archive that contains PHP code without needing to authenticate. When the system imports the template, the archive is extracted into a public web directory, and the malicious script can then be accessed via a browser and run on the server. This defect is consistent with missing authentication (CWE‑306) and arbitrary file upload (CWE‑434), enabling a complete takeover of the application’s execution environment.

Affected Systems

Xerte Online Toolkits version 3.14 and all earlier releases are affected. Users running these releases should verify the exact build; newer versions of the toolkit are not known to be impacted.

Risk and Exploitability

The impact score of 9.3 indicates critical severity. The EPSS score is below 1 %, suggesting a low current detection probability, and the vulnerability is not listed in the CISA KEV catalog. Because the upload can be performed without authentication, the likely attack vector is remote over the internet. Exploitation requires only knowledge of the vulnerable endpoint and the ability to craft a ZIP containing a PHP payload.

Generated by OpenCVE AI on March 20, 2026 at 19:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Xerte Online Toolkits to a version newer than 3.14
  • If immediate upgrade is not possible, restrict the media upload directory so that it does not contain or allow execution of PHP files
  • Deploy web application firewall rules to deny file uploads that contain PHP code
  • Regularly review and monitor the web root for unexpected PHP files
  • Apply any vendor‑issued security patches as soon as they become available

Generated by OpenCVE AI on March 20, 2026 at 19:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
Description Xerte Online Toolkits versions 3.14 and earlier contain an unauthenticated arbitrary file upload vulnerability in the template import functionality. The issue exists in /website_code/php/import/import.php where missing authentication checks allow an attacker to upload a crafted ZIP archive disguised as a project template. The archive can contain a malicious PHP payload placed in the media/ directory, which is extracted into a web-accessible USER-FILES/{projectID}--{targetFolder}/ path. An attacker can then directly access the uploaded PHP file to achieve remote code execution under the web server context. Xerte Online Toolkits versions 3.14 and earlier contain an unauthenticated arbitrary file upload vulnerability in the template import functionality that allows remote attackers to execute arbitrary code by uploading a crafted ZIP archive containing malicious PHP payloads. Attackers can bypass authentication checks in the import.php file to upload a template archive with PHP code in the media directory, which gets extracted to a web-accessible path where the malicious PHP can be directly accessed and executed under the web server context.

Fri, 20 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 20 Mar 2026 09:00:00 +0000

Type Values Removed Values Added
First Time appeared Xerte
Xerte xerte Online Toolkits
Vendors & Products Xerte
Xerte xerte Online Toolkits

Fri, 20 Mar 2026 00:15:00 +0000

Type Values Removed Values Added
Description Xerte Online Toolkits versions 3.14 and earlier contain an unauthenticated arbitrary file upload vulnerability in the template import functionality. The issue exists in /website_code/php/import/import.php where missing authentication checks allow an attacker to upload a crafted ZIP archive disguised as a project template. The archive can contain a malicious PHP payload placed in the media/ directory, which is extracted into a web-accessible USER-FILES/{projectID}--{targetFolder}/ path. An attacker can then directly access the uploaded PHP file to achieve remote code execution under the web server context.
Title Xerte Online Toolkits <= 3.14 Unauthenticated Template Import Arbitrary File Upload Leading to Remote Code Execution
Weaknesses CWE-306
CWE-434
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Xerte Xerte Online Toolkits
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-03-20T17:37:59.034Z

Reserved: 2026-03-17T11:31:56.956Z

Link: CVE-2026-32985

cve-icon Vulnrichment

Updated: 2026-03-20T14:19:48.314Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-20T00:16:18.260

Modified: 2026-03-20T18:16:16.477

Link: CVE-2026-32985

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-25T14:10:13Z

Weaknesses