CVE-2023-42346

CVE-2023-42346 affects Alkacon OpenCms before version 16, where an external-hosted DOCTYPE can trigger a server-side XML External Entity (XXE) vulnerability. The root cause is improper handling of external entities in XML processing, leading to potential exposure of confidential data (CVSS 3.1 ba...

opencms 安全漏洞

OpenCms is a CMS system developed by Fumiao as an individual developer. OpenCms v20 and earlier versions had security vulnerabilities, which stemmed from insecure XML parsing in the Admin Import DB function. The manifest.xml file provided by users in .zip files could lead to XML external entity...

CVE-2026-2736

Reflected Cross-site Scripting XSS in Alkacon's OpenCms v18.0, which allows an attacker to execute JavaScript code in the victim's browser by sending the victim a malicious URL containing the ‘q’ parameter in ‘/search/index.html’. This vulnerability can be exploited to steal sensitive user...

CVE-2026-2736

Alkacon OpenCms 18.0 is affected by CVE-2026-2736: a reflected XSS vulnerability exploitable by sending a user a malicious URL containing the q parameter in /search/index.html. The issue allows execution of JavaScript in the victim’s browser, enabling potential access to session cookies or action...

CVE-2026-2735

CVE-2026-2735 describes a Stored XSS in Alkacon’s OpenCms v18.0. The vulnerability occurs when user input is not properly validated in a POST request to /blog/new-article/org.opencms.ugc.CmsUgcEditService.gwt using the text parameter. According to the record, the impact is limited to the vulnerab...

EUVD-2005-4470

Malware in sbrugna...

EUVD-2025-12362

Malicious code in bioql PyPI...

CVE-2019-11819

Alkacon OpenCMS v10.5.4 and before is affected by CSV aka Excel Macro Injection in the module New User /opencms/system/workplace/admin/accounts/usernew.jsp via the First Name or Last Name...

CVE-2025-28099

opencms V2.3 is vulnerable to Arbitrary file read in src/main/webapp/view/admin/document/dataPage.jsp,...

CVE-2025-28099

Opencms 2.3 is affected by CVE-2025-28099, a vulnerability in src/main/webapp/view/admin/document/dataPage.jsp that allows Arbitrary file read. The issue stems from the dataPage.jsp handling untrusted input, enabling retrieval of files outside the intended scope. Public references in multiple fee...

CVE-2025-28099

opencms V2.3 is vulnerable to Arbitrary file read in src/main/webapp/view/admin/document/dataPage.jsp,...

PT-2025-17452 · Opencms · Opencms

Name of the Vulnerable Software and Affected Versions: opencms version 2.3 Description: The issue allows for Arbitrary file read in the src/main/webapp/view/admin/document/dataPage.jsp file. Recommendations: For opencms version 2.3, as a temporary workaround, consider restricting access to the...

📄 OpenCMS 17.0 Cross Site Scripting

OpenCMS version 17.0 suffers from a persistent cross site scripting vulnerability. Exploit Title: OpenCMS 17.0 - Stored Cross Site Scripting XSS Date: 24-11-2024 Exploit Author: Siddhartha Naik Vendor Homepage: http://www.opencms.org/en/ Software Link:...

PT-2025-15099 · Unknown · Fumiao Opencms

Name of the Vulnerable Software and Affected Versions: fumiao opencms up to a0fafa5cff58719e9b27c2a2eec204cc165ce14f Description: A problematic vulnerability has been found in fumiao opencms. The issue affects an unknown function of the file...

Alkacon OpenCMS Absolute Path Traversal via pathname in filePath.0 parameter

Absolute path traversal vulnerability in system/workplace/admin/workplace/logfileview/logfileViewSettings.jsp in Alkacon OpenCms 7.0.3 and 7.0.4 allows remote authenticated administrators to read arbitrary files via a full pathname in the filePath.0 parameter...

Alkacon OpenCMS Absolute Path Traversal via pathname in filePath parameter

Absolute path traversal vulnerability in downloadTrigger.jsp in Alkacon OpenCms before 6.2.2 allows remote authenticated users to download arbitrary files via an absolute pathname in the filePath parameter...

Alkacon OpenCms XSS via query parameter in a search action

Cross-site scripting XSS vulnerability in search.html in Alkacon OpenCms 6.0.0, 6.0.2, and 6.0.3 allows remote attackers to inject arbitrary web script or HTML via the query parameter in a search action...

Alkacon Software OpenCms 跨站脚本漏洞

Alkacon Software OpenCms is a professional, open source, easy-to-use web content management system from Alkacon Software, Germany. A cross-site scripting vulnerability exists in Alkacon Software OpenCMS versions 10.5.0 through 11.0.2, which allows a user with a low-privileged application to store...

Alkacon OpenCms Cross-Site Scripting Vulnerability (CNVD-2019-40077)

OpenCms is Alkacon launched a company written in Java, an open source content management system . Multiple reflective and stored cross-site scripting vulnerabilities exist in the administrative interface of system/workplace/ in Alkacon OpenCms 10.5.4, 10.5.5. An attacker can exploit this...

Alkacon OpenCms suffers from multiple cross-site scripting vulnerabilities (CNVD-2015-01811)

OpenCms is a professional level open source web content management system. Multiple cross-site scripting vulnerabilities exist in Alkacon OpenCms 9.5.1 and prior versions because it fails to properly filter user-supplied input, allowing an attacker to exploit the vulnerabilities to execute...