What is CVE-2026-32985?

CVE-2026-32985 is a critical-severity vulnerability in Xerte Online Toolkits, classified under Missing Authentication for Critical Function. CVSS score: 9.8/10. Published 2026-03-20.

How severe is CVE-2026-32985?

Critical severity. CVSS v3 base score is 9.8 out of 10.

Is CVE-2026-32985 known to be exploited?

1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.

Auth bypass in Xerte Online Toolkits

CVE-2026-32985

Xerte Online Toolkits versions 3.14 and earlier contain an unauthenticated arbitrary file upload vulnerability in the template import functionality that allows remote attackers to execute arbitrary code by uploading a crafted ZIP archive c…

Vulnerability class: Broken Authentication

EPSS: 0.700 (98.7th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.8 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

Affected products

Xerte Online Toolkits — versions 0

Weakness classification (CWE)

Public proof-of-concept exploits

rapid7/metasploit-framework

References

Xerte Online Toolkits - Vendor Homepage (product)
Packet Storm listing (Xerte Online Toolkits 3.14 Shell Upload) (exploit)

Frequently asked questions

What is CVE-2026-32985?: CVE-2026-32985 is a critical-severity vulnerability in Xerte Online Toolkits, classified under Missing Authentication for Critical Function. CVSS score: 9.8/10. Published 2026-03-20.
How severe is CVE-2026-32985?: Critical severity. CVSS v3 base score is 9.8 out of 10.
Is CVE-2026-32985 known to be exploited?: 1 public proof-of-concept repositories are indexed. Not currently listed in the CISA KEV catalog.