CVE-2026-32985

Name of the Vulnerable Software and Affected Versions Xerte Online Toolkits versions 3.14 and earlier

Description Xerte Online Toolkits versions 3.14 and earlier contain an unauthenticated arbitrary file upload issue in the template import functionality. This allows remote attackers to execute arbitrary code by uploading a crafted ZIP archive containing malicious PHP payloads. Attackers can bypass authentication checks in the import.php file to upload a template archive with PHP code in the media directory. The uploaded archive is extracted to a web-accessible path, allowing direct access and execution of the malicious PHP code under the web server context. The vulnerability exists in /website code/php/....

Recommendations Versions prior to 3.14 should be updated. As a temporary workaround, consider disabling the template import functionality until a patch is available. Restrict access to the import.php file to minimize the risk of exploitation.