Kostenlos scannen
CRITICALCVE-2026-32985CVSS 9.8

Xerte Online Toolkits <= 3.14 Unauthenticated Template Import Arbitrary File Upload Leading to Remote Code Execution

Plattform

php

Komponente

xerte-online-toolkits

Behoben in

3.14.1

AI Confidence: highNVDEPSS 0.8%Geprüft: Mai 2026
Auf NVD ansehen
Speichern
Wird in Ihre Sprache übersetzt…

CVE-2026-32985 describes a critical Remote Code Execution (RCE) vulnerability discovered in Xerte Online Toolkits. This flaw allows unauthenticated attackers to upload and execute malicious PHP code through the template import functionality. The vulnerability impacts versions 0 through 3.14 and requires immediate attention to prevent potential system compromise. A fix is available; upgrading is the recommended remediation.

Auswirkungen und Angriffsszenarien

The impact of CVE-2026-32985 is severe. An attacker can leverage this vulnerability to execute arbitrary code on the server hosting Xerte Online Toolkits without any authentication. This could lead to complete system compromise, including data theft, modification, or deletion. Attackers could also use the compromised server as a launchpad for further attacks against other systems within the network. The lack of authentication requirements significantly lowers the barrier to entry for exploitation, making this a high-priority vulnerability to address. The ability to upload and execute PHP code directly within a web-accessible directory is a particularly dangerous characteristic, similar to vulnerabilities that have previously led to widespread data breaches.

Ausnutzungskontext

CVE-2026-32985 was publicly disclosed on 2026-03-20. As of this date, there is no indication of active exploitation in the wild, nor are there any publicly available proof-of-concept (POC) exploits. The vulnerability has been added to the CISA KEV catalog, indicating a medium probability of exploitation. The ease of exploitation, due to the lack of authentication, warrants close monitoring and prompt patching.

Wer Ist Gefährdetwird übersetzt…

Organizations and individuals using Xerte Online Toolkits for e-learning content creation and delivery are at risk. This includes educational institutions, training providers, and businesses that rely on Xerte Online Toolkits for internal or external training programs. Shared hosting environments are particularly vulnerable, as a compromised Xerte Online Toolkits installation could potentially impact other websites hosted on the same server.

Erkennungsschrittewird übersetzt…

• php: Examine web server access logs for requests to import.php with unusual or suspicious ZIP archive filenames.

 grep "import.php" /var/log/apache2/access.log | grep -i zip

• php: Check the media directory for newly created PHP files with unexpected names or content.

 find /var/www/xerte/media -name '*.php' -print

• generic web: Monitor network traffic for attempts to upload ZIP archives to the Xerte Online Toolkits server. Use a WAF to detect and block suspicious upload patterns. • generic web: Review Xerte Online Toolkits configuration files for any unusual or insecure settings related to file uploads.

Angriffszeitlinie

  1. Disclosure

    disclosure

Bedrohungsanalyse

Exploit-Status

Proof of ConceptUnbekannt
CISA KEVNO
Internet-ExponierungHoch
Berichte1 Bedrohungsbericht

EPSS

0.77% (73% Perzentil)

CISA SSVC

Ausnutzungpoc
Automatisierbaryes
Technische Auswirkungtotal

CVSS-Vektor

BEDROHUNGSANALYSE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H9.8CRITICALAttack VectorNetworkWie der Angreifer das Ziel erreichtAttack ComplexityLowBedingungen zur erfolgreichen AusnutzungPrivileges RequiredNoneErforderliche AuthentifizierungsstufeUser InteractionNoneOb ein Opfer eine Aktion ausführen mussScopeUnchangedAuswirkungen über die Komponente hinausConfidentialityHighRisiko der Offenlegung sensibler DatenIntegrityHighRisiko nicht autorisierter DatenänderungAvailabilityHighRisiko der Dienstunterbrechungnextguardhq.com · CVSS v3.1 Basis-Score
Was bedeuten diese Metriken?
Attack Vector
Netzwerk — aus der Ferne über das Internet ausnutzbar. Kein physischer oder lokaler Zugriff erforderlich.
Attack Complexity
Niedrig — keine besonderen Bedingungen erforderlich. Zuverlässig ausnutzbar.
Privileges Required
Keine — ohne Authentifizierung ausnutzbar. Keine Zugangsdaten erforderlich.
User Interaction
Keine — automatischer und lautloser Angriff. Das Opfer tut nichts.
Scope
Unverändert — Auswirkung auf das anfällige Komponente beschränkt.
Confidentiality
Hoch — vollständiger Vertraulichkeitsverlust. Angreifer kann alle Daten lesen.
Integrity
Hoch — Angreifer kann beliebige Daten schreiben, ändern oder löschen.
Availability
Hoch — vollständiger Absturz oder Ressourcenerschöpfung. Totaler Denial of Service.

Betroffene Software

Komponentexerte-online-toolkits
HerstellerXerte
Betroffener BereichBehoben in
0 – 3.143.14.1

Schwachstellen-Klassifikation (CWE)

CWE-306CWE-434

Zeitleiste

  1. Reserviert
  2. Veröffentlicht
  3. EPSS aktualisiert
Kein Patch — 65 Tage seit Offenlegung

Mitigation und Workarounds

The primary mitigation for CVE-2026-32985 is to upgrade Xerte Online Toolkits to a patched version as soon as possible. If upgrading immediately is not feasible, consider implementing temporary workarounds. These may include restricting file uploads to trusted sources only, implementing stricter input validation on uploaded files, and disabling the template import functionality entirely if it is not essential. Web Application Firewalls (WAFs) can be configured to detect and block attempts to upload malicious files. Monitor web server logs for suspicious file upload activity, specifically looking for PHP files in unexpected locations. After upgrading, confirm the fix by attempting to upload a test ZIP archive containing a harmless PHP file to the template import functionality; the upload should be rejected.

So beheben

Aktualisieren Sie Xerte Online Toolkits auf eine Version, die neuer als 3.14 ist. Dies behebt die nicht authentifizierte beliebige Datei-Upload-Schwachstelle. Besuchen Sie die Xerte-Website für die neueste Version und die Update-Anweisungen.

CVE-Sicherheitsnewsletter

Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.

Häufig gestellte Fragenwird übersetzt…

What is CVE-2026-32985 — RCE in Xerte Online Toolkits?

CVE-2026-32985 is a critical Remote Code Execution vulnerability in Xerte Online Toolkits versions 0–3.14, allowing attackers to execute arbitrary code through a flawed template import process.

Am I affected by CVE-2026-32985 in Xerte Online Toolkits?

If you are running Xerte Online Toolkits versions 0 through 3.14, you are potentially affected by this vulnerability. Immediate action is required.

How do I fix CVE-2026-32985 in Xerte Online Toolkits?

The recommended fix is to upgrade to a patched version of Xerte Online Toolkits. If immediate upgrade is not possible, implement temporary workarounds like restricting file uploads and using a WAF.

Is CVE-2026-32985 being actively exploited?

As of now, there is no confirmed evidence of active exploitation in the wild, but the vulnerability's severity and ease of exploitation suggest potential for future attacks.

Where can I find the official Xerte Online Toolkits advisory for CVE-2026-32985?

Please refer to the official Xerte Online Toolkits website and security advisories for the latest information and updates regarding CVE-2026-32985.

Ist dein Projekt betroffen?

Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.

Kostenlos scannenCVEs suchen