CVE-2026-32985

Xerte Online Toolkits versions 3.14 and earlier contain an unauthenticated arbitrary file upload vulnerability in the template import functionality. The issue exists in /website code/php/import/import.php where missing authentication checks allow an attacker to upload a crafted ZIP archive disguised as a project template. The archive can contain a malicious PHP payload placed in the media/ directory, which is extracted into a web-accessible USER-FILES/{projectID}--{targetFolder}/ path. An attacker can then directly access the uploaded PHP file to achieve remote code execution under the web server context.