EUVD-2026-13416
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3Description
Xerte Online Toolkits versions 3.14 and earlier contain an unauthenticated arbitrary file upload vulnerability in the template import functionality. The issue exists in /website_code/php/import/import.php where missing authentication checks allow an attacker to upload a crafted ZIP archive disguised as a project template. The archive can contain a malicious PHP payload placed in the media/ directory, which is extracted into a web-accessible USER-FILES/{projectID}--{targetFolder}/ path. An attacker can then directly access the uploaded PHP file to achieve remote code execution under the web server context.
Analysis
Xerte Online Toolkits 3.14 and earlier contain an unauthenticated arbitrary file upload vulnerability allowing remote code execution with a CVSS score of 9.8. The template import functionality at /website_code/php/import/import.php lacks authentication checks, enabling attackers to upload ZIP archives containing malicious PHP files that are extracted to web-accessible directories. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all Xerte deployments and determine version numbers; disable the template import functionality or restrict access to the /website_code/php/import/ endpoint at the network/WAF level. Within 7 days: Implement network segmentation to isolate Xerte servers, enable comprehensive logging and monitoring for suspicious file uploads and PHP execution in USER-FILES directories, and conduct forensic analysis for evidence of exploitation. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today