CVE-2026-32985 is a critical unauthenticated arbitrary file upload vulnerability affecting Xerte Online Toolkits versions 3.14 and earlier. The vulnerability exists in the /website_code/php/import/import.php script, which handles the import of project templates. Due to missing authentication checks (CWE-306), an attacker can upload a specially crafted ZIP archive disguised as a legitimate project template. This archive can contain a malicious PHP payload placed within the media/ directory. Upon import, the ZIP archive is extracted into a web-accessible path USER-FILES/{projectID}--{targetFolder}/ without validation or sanitization of the contents. Because the uploaded PHP file resides in a web-accessible directory, an attacker can directly invoke it via HTTP requests, resulting in remote code execution (RCE) under the web server's privileges. This vulnerability also relates to CWE-434 (Unrestricted Upload of File with Dangerous Type). The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no authentication required (AT:N), no privileges required (PR:N), no user interaction (UI:N), and high impact on confidentiality, integrity, and availability (VC:H, VI:H, VA:H). Although no exploits are currently known in the wild, the vulnerability's characteristics make it highly exploitable and dangerous.

The impact of CVE-2026-32985 is severe for organizations using vulnerable versions of Xerte Online Toolkits. Successful exploitation allows attackers to execute arbitrary code remotely on the web server, potentially leading to full system compromise. This can result in unauthorized data access, data modification, service disruption, and lateral movement within the network. Since the vulnerability requires no authentication or user interaction, it can be exploited by any remote attacker scanning for vulnerable instances. Educational institutions, training providers, and organizations relying on Xerte for online content creation and delivery are particularly at risk. The compromise of these systems could lead to data breaches involving sensitive educational content and user information, damage to organizational reputation, and operational downtime.

To mitigate this vulnerability, organizations should immediately upgrade Xerte Online Toolkits to a version where this issue is patched once available. In the absence of an official patch, implement the following specific mitigations: 1) Restrict access to the import.php endpoint via network controls such as IP whitelisting or VPN access to limit exposure. 2) Implement web application firewall (WAF) rules to detect and block suspicious ZIP archive uploads or HTTP requests targeting the import functionality. 3) Manually audit and restrict write permissions on the USER-FILES directory to prevent execution of uploaded files, for example by disabling PHP execution in this directory via web server configuration. 4) Monitor web server logs for unusual access patterns to the USER-FILES directory or unexpected PHP file executions. 5) Employ intrusion detection systems to alert on anomalous file uploads or code execution attempts. 6) Educate administrators on the risks of unauthenticated file uploads and enforce strict access controls on administrative interfaces. These targeted mitigations can reduce risk until a vendor patch is applied.