CVE-2026-32985

CRITICAL

Xerte Online Toolkits <= 3.14 Unauthenticated Template Import Arbitrary File Upload Leading to Remote Code Execution

Title source: cna

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-32985. PoCs published by Brandon Lester, including Metasploit module exploits/multi/http/xerte_unauthenticated_template_import_rce.

AI-analyzed exploit summary This Metasploit module exploits an authentication bypass in Xerte Online Toolkits to upload a malicious ZIP file containing a PHP shell, achieving remote code execution. The exploit targets the import functionality and leverages a crafted ZIP archive to bypass restrictions.

Description

Xerte Online Toolkits versions 3.14 and earlier contain an unauthenticated arbitrary file upload vulnerability in the template import functionality that allows remote attackers to execute arbitrary code by uploading a crafted ZIP archive containing malicious PHP payloads. Attackers can bypass authentication checks in the import.php file to upload a template archive with PHP code in the media directory, which gets extracted to a web-accessible path where the malicious PHP can be directly accessed and executed under the web server context.

Exploits (1)

metasploit WORKING POC EXCELLENT

by Brandon Lester · rubypocphp

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/multi/http/xerte_unauthenticated_template_import_rce.rb

View Code ZIP pw:eip

This Metasploit module exploits an authentication bypass in Xerte Online Toolkits to upload a malicious ZIP file containing a PHP shell, achieving remote code execution. The exploit targets the import functionality and leverages a crafted ZIP archive to bypass restrictions.

Classification

Working Poc 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: Xerte Online Toolkits versions 3.14 and earlier

No auth needed

Prerequisites: Network access to the target · Xerte Online Toolkits installation with vulnerable version

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed May 27, 2026 Full analysis →

References (2)

Core 2

Core References

Product product

Xerte Online Toolkits - Vendor Homepage

https://xot.xerte.org.uk/

Exploit exploit

Packet Storm listing (Xerte Online Toolkits 3.14 Shell Upload)

https://packetstorm.news/files/id/216288/

Scores

CVSS v3 9.8

EPSS 0.0148

EPSS Percentile 70.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact total

Details

CWE

CWE-306 CWE-434

Status published

Products (2)

apereo/xerte_online_toolkits < 3.14.0

Xerte/Xerte Online Toolkits < 3.14

Published Mar 20, 2026

Tracked Since Mar 20, 2026