Which versions of PHP are affected by CVE-2026-32985?

Xerte Online Toolkits versions 3.14 and earlier are vulnerable to unauthenticated remote code execution through malicious file uploads, allowing attackers to gain complete control of affected web…

PHP CVE-2026-32985

Q: What is the CVSS score of CVE-2026-32985?

CVE-2026-32985 has a CVSS 4.0 base score of 9.3 (Critical). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.4%.

EUVD-2026-13416 CRITICAL

Missing Authentication for Critical Function (CWE-306)

2026-03-20 disclosure@vulncheck.com

PHP Authentication Bypass RCE File Upload

9.3

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Re-analysis Queued

Apr 16, 2026 - 13:52 vuln.today

cvss_changed

CVSS changed

Apr 16, 2026 - 13:52 NVD

9.8 (CRITICAL) 9.3 (CRITICAL)

EUVD ID Assigned

Mar 20, 2026 - 00:30 euvd

EUVD-2026-13416

Analysis Generated

Mar 20, 2026 - 00:30 vuln.today

CVE Published

Mar 20, 2026 - 00:16 nvd

CRITICAL 9.8

DescriptionNVD

Xerte Online Toolkits versions 3.14 and earlier contain an unauthenticated arbitrary file upload vulnerability in the template import functionality. The issue exists in /website_code/php/import/import.php where missing authentication checks allow an attacker to upload a crafted ZIP archive disguised as a project template. The archive can contain a malicious PHP payload placed in the media/ directory, which is extracted into a web-accessible USER-FILES/{projectID}--{targetFolder}/ path. An attacker can then directly access the uploaded PHP file to achieve remote code execution under the web server context.

AnalysisAI

Xerte Online Toolkits 3.14 and earlier contain an unauthenticated arbitrary file upload vulnerability allowing remote code execution with a CVSS score of 9.8. The template import functionality at /website_code/php/import/import.php lacks authentication checks, enabling attackers to upload ZIP archives containing malicious PHP files that are extracted to web-accessible directories. …

RemediationAI

Within 24 hours: Inventory all Xerte deployments and determine version numbers; disable the template import functionality or restrict access to the /website_code/php/import/ endpoint at the network/WAF level. Within 7 days: Implement network segmentation to isolate Xerte servers, enable comprehensive logging and monitoring for suspicious file uploads and PHP execution in USER-FILES directories, and conduct forensic analysis for evidence of exploitation. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-32985 vulnerability details – vuln.today

Back

PHP CVE-2026-32985

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

PHP CVE-2026-32985

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code