CVE-2026-38429 - Vulnerability Details

OpenCMS v20 and before is vulnerable to XML External Entity (XXE) in the Admin Import DB feature due to insecure XML parsing of user supplied .zip files containing a manifest.xml.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

Vendors	Products
Alkacon	Opencms

No data.

OpenCVE Enrichment is a feature of OpenCVE that uses AI to automatically link vendors and products to CVEs. Learn more on GitHub.

Vendors	Products
Alkacon	Opencms

References

Link	Providers
https://github.com/alkacon/opencms-core/commit/e3e41e5a96d71383279e7d23c627efc9934008c1

History

Tue, 05 May 2026 18:45:00 +0000

Type	Values Removed	Values Added
Title		XML External Entity (XXE) Vulnerability in OpenCMS Admin Import DB Feature
First Time appeared		Alkacon Alkacon opencms
Weaknesses		CWE-611
Vendors & Products		Alkacon Alkacon opencms

Tue, 05 May 2026 17:00:00 +0000

Type	Values Removed	Values Added
Description		OpenCMS v20 and before is vulnerable to XML External Entity (XXE) in the Admin Import DB feature due to insecure XML parsing of user supplied .zip files containing a manifest.xml.
References		https://github.com/alkacon/opencms-core/commit/e3e41e5a96d71383279e7d23c627efc9934008c1

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-05-05T00:00:00.000Z

Updated: 2026-05-05T16:30:08.697Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-38429

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2026-05-05T17:17:04.547

Modified: 2026-05-05T20:24:04.853

Link: CVE-2026-38429

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-05T18:30:29Z

Metrics

Affected Vendors & Products

Metrics

Affected Vendors & Products

JSON object

JSON object

JSON object

JSON object

JSON object