Platform
php
Component
xerte-online-toolkits
Fixed in
3.14.1
CVE-2026-32985 describes a critical Remote Code Execution (RCE) vulnerability discovered in Xerte Online Toolkits. This flaw allows unauthenticated attackers to upload and execute malicious PHP code through the template import functionality. The vulnerability impacts versions 0 through 3.14 and requires immediate attention to prevent potential system compromise. A fix is available; upgrading is the recommended remediation.
The impact of CVE-2026-32985 is severe. An attacker can exploit this vulnerability to gain complete control over a server running Xerte Online Toolkits. By uploading a crafted ZIP archive containing malicious PHP code, they can bypass authentication checks and execute arbitrary commands within the web server's context. This could lead to data breaches, defacement of the website, installation of malware, or even complete system takeover. The unauthenticated nature of the vulnerability means that anyone with network access can attempt exploitation, significantly expanding the attack surface. This vulnerability shares similarities with other file upload vulnerabilities where attackers leverage ZIP bombs or crafted archive structures to bypass security controls.
CVE-2026-32985 was publicly disclosed on 2026-03-20. Currently, there is no indication of active exploitation in the wild. No public proof-of-concept (PoC) code has been released, but the vulnerability's ease of exploitation suggests that a PoC is likely to emerge. The vulnerability is not currently listed on the CISA KEV catalog. The CVSS score of 9.8 (CRITICAL) reflects the high severity and potential impact of this vulnerability.
Exploit Status
EPSS
0.77% (73% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-32985 is to upgrade Xerte Online Toolkits to a patched version as soon as possible. If upgrading immediately is not feasible, consider implementing temporary workarounds. Restrict file uploads to trusted sources and implement strict file type validation to prevent the upload of PHP files. Web Application Firewalls (WAFs) can be configured to block suspicious file uploads and detect malicious payloads. Review and harden the Xerte Online Toolkits configuration, ensuring that the media directory is not directly accessible from the web server. After upgrading, confirm the fix by attempting a template import with a benign ZIP archive and verifying that the import process completes without errors and without executing any unexpected code.
Update Xerte Online Toolkits to a version later than 3.14. This will resolve the unauthenticated arbitrary file upload vulnerability. Refer to the Xerte website for the latest version and upgrade instructions.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-32985 is a critical Remote Code Execution vulnerability in Xerte Online Toolkits versions 0–3.14, allowing attackers to execute arbitrary code through a flawed template import process.
If you are running Xerte Online Toolkits versions 0 through 3.14, you are potentially affected by this vulnerability. Immediate action is required.
The recommended fix is to upgrade to a patched version of Xerte Online Toolkits. If immediate upgrade is not possible, implement temporary workarounds like restricting file uploads and using a WAF.
As of now, there is no confirmed evidence of active exploitation in the wild, but the vulnerability's severity and ease of exploitation suggest potential for future attacks.
Please refer to the official Xerte Online Toolkits website and security advisories for the latest information and updates regarding CVE-2026-32985.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.