Xerte Online Toolkits versions 3.14 and earlier contain an unauthenticated arbitrary file upload vulnerability in the template import functionality that allows remote attackers to execute arbitrary code by uploading a crafted ZIP archive containing malicious PHP payloads. Attackers can bypass authentication checks in the import.php file to upload a template archive with PHP code in the media directory, which gets extracted to a web-accessible path where the malicious PHP can be directly accessed and executed under the web server context.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/32xxx/CVE-2026-32985.json",
"cna_assigner": "VulnCheck",
"cwe_ids": [
"CWE-306",
"CWE-434"
],
"unresolved_ranges": [
{
"extracted_events": [
{
"last_affected": "3.14"
}
],
"source": "AFFECTED_FIELD"
}
]
}{
"cpe": "cpe:2.3:a:apereo:xerte_online_toolkits:*:*:*:*:*:*:*:*",
"extracted_events": [
{
"introduced": "0"
},
{
"last_affected": "3.14.0"
}
],
"source": "CPE_RANGE"
}