CVE Catalog

CVE-2026-38429

Critical
Published: Translated: NVD NIST

Summary

OpenCMS v20 and before is vulnerable to XML External Entity (XXE) in the Admin Import DB feature due to insecure XML parsing of user supplied .zip files containing a manifest.xml.

Risk Assessment

An attacker could exploit this vulnerability to gain access to sensitive data or perform unauthorized operations on the server, potentially leading to serious security breaches.

Recommendation

It is recommended to update OpenCMS to the latest version that addresses this vulnerability and to implement security measures to restrict the uploading of unsafe files by users.

Original NVD description (English source)

OpenCMS v20 and before is vulnerable to XML External Entity (XXE) in the Admin Import DB feature due to insecure XML parsing of user supplied .zip files containing a manifest.xml.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS