CVE-2026-38429
CriticalSummary
OpenCMS v20 and before is vulnerable to XML External Entity (XXE) in the Admin Import DB feature due to insecure XML parsing of user supplied .zip files containing a manifest.xml.
Risk Assessment
An attacker could exploit this vulnerability to gain access to sensitive data or perform unauthorized operations on the server, potentially leading to serious security breaches.
Recommendation
It is recommended to update OpenCMS to the latest version that addresses this vulnerability and to implement security measures to restrict the uploading of unsafe files by users.
Original NVD description (English source)
OpenCMS v20 and before is vulnerable to XML External Entity (XXE) in the Admin Import DB feature due to insecure XML parsing of user supplied .zip files containing a manifest.xml.

