Home

Description

Xerte Online Toolkits versions 3.14 and earlier contain an unauthenticated arbitrary file upload vulnerability in the template import functionality that allows remote attackers to execute arbitrary code by uploading a crafted ZIP archive containing malicious PHP payloads. Attackers can bypass authentication checks in the import.php file to upload a template archive with PHP code in the media directory, which gets extracted to a web-accessible path where the malicious PHP can be directly accessed and executed under the web server context.

PUBLISHED Reserved 2026-03-17 | Published 2026-03-20 | Updated 2026-03-20 | Assigner VulnCheck




CRITICAL: 9.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CRITICAL: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-306 Missing Authentication for Critical Function

CWE-434 Unrestricted Upload of File with Dangerous Type

Product status

Default status
unaffected

Any version
affected

Credits

indoushka finder

References

xot.xerte.org.uk/ (Xerte Online Toolkits - Vendor Homepage) product

packetstorm.news/files/id/216288/ (Packet Storm listing (Xerte Online Toolkits 3.14 Shell Upload)) exploit

cve.org (CVE-2026-32985)

nvd.nist.gov (CVE-2026-32985)

Download JSON