CVE-2026-38429

Published: Mag 05, 2026 Last Modified: Mag 05, 2026
ExploitDB:
Other exploit source:
Google Dorks:

Description

AI Translation Available

OpenCMS v20 and before is vulnerable to XML External Entity (XXE) in the Admin Import DB feature due to insecure XML parsing of user supplied .zip files containing a manifest.xml.

https://github.com/alkacon/opencms-core/commit/e3e41e5a96d7…
https://github.com/alkacon/opencms-core/commit/e3e41e5a96d71383279e7d23c627efc9…