CVE-2026-38429 - Vulnerability Analysis
CriticalCVSS: 9.8Last Updated: May 6, 2026
OpenCMS - XML External Entity Injection
Published: May 5, 2026Updated: May 6, 2026Remote Exploitable
Overview
OpenCMS v20 and before contains an XML External Entity (XXE) injection caused by insecure XML parsing of user-supplied .zip files containing manifest.xml in the Admin Import DB feature, letting attackers disclose sensitive information, exploit requires admin access.
Severity & Score
Severity: Critical
CVSS Score: 9.8
Impact
Attackers can disclose sensitive information by exploiting XXE in XML parsing of .zip files.
Mitigation
Update to the latest version beyond v20 that fixes XML parsing vulnerabilities.
Related Resources
Details
- CVE ID
- CVE-2026-38429
- Severity
- Critical
- CVSS Score
- 9.8
- Type
- xml_external_entity_injection
- Status
- rejected
CWE
- CWE-611
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H