CVE•Published 2026-03-20•1 article on news•5 live references•NVD data

CVE-2026-32985

Vulnerability data via CVEDB (Shodan)

CVSS v3.1

9.3

CRITICAL

EPSS percentile

Exploit Prediction Scoring System · top 1% of all CVEs

Description

Xerte Online Toolkits versions 3.14 and earlier contain an unauthenticated arbitrary file upload vulnerability in the template import functionality that allows remote attackers to execute arbitrary code by uploading a crafted ZIP archive containing malicious PHP payloads. Attackers can bypass authentication checks in the import.php file to upload a template archive with PHP code in the media directory, which gets extracted to a web-accessible path where the malicious PHP can be directly accessed and executed under the web server context.

Timeline

Published 2026-03-20

External references

NVD MITRE Exploit-DB Sploitus VulnCheck

Search for exposed instances

Shodan + Censys queries derived from NVD's CPE data. The vuln tag catches assets Shodan has explicitly linked to this CVE; the product / banner fingerprints find exposed instances even when the vuln tag was never applied (which is common). Live host counts are a Premium feature.

Shodan · vuln tag

vuln:CVE-2026-32985

Hosts Shodan has explicitly fingerprinted as vulnerable.

Shodan · product + version

product:"Apereo Xerte Online Toolkits" version:"2.0"

Version-pinned fingerprint from NVD's first vulnerable CPE.

Shodan · banner/body mention

http.html:"Xerte Online Toolkits"

HTTP body or banner mentions "Xerte Online Toolkits" — catches deploys Shodan didn't identify as a product.

More intel sources (5)

Shodan report

vuln:CVE-2026-32985