CVE-2026-38429

Published May 5th, 2026

View on NVD ↗

CVSS v3

9.8

CRITICAL

CVSS v2

N/A

Affected

PROJECT

Description

OpenCMS v20 and before is vulnerable to XML External Entity (XXE) in the Admin Import DB feature due to insecure XML parsing of user supplied .zip files containing a manifest.xml.

alkacon/opencms-core

The Java open source content management system by Alkacon Software

GitHub

567