Cross-site Scripting in Alkacon Software OpenCms
Description
Cross-site scripting (XSS) vulnerability in Alkacon Software Open CMS, affecting versions 14 and 15 of the 'Mercury' template. This vulnerability could allow a remote attacker to send a specially crafted JavaScript payload to a victim and partially take control of their browsing session.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cross-site scripting (XSS) vulnerability in Alkacon OpenCMS Mercury template (v14, v15) allows remote attackers to inject JavaScript via a crafted payload.
Analysis
The vulnerability is a stored cross-site scripting (XSS) issue in the 'Mercury' template of Alkacon Software OpenCms, affecting versions 14 and 15 [1][3]. The root cause is insufficient sanitization of user-controlled input when generating descriptions in the explorer UI component. A fix was applied by escaping XML output using CmsEncoder.escapeXml() [4].
Exploitation
An attacker can send a specially crafted JavaScript payload to a victim, for example via a malicious link or by injecting the payload into a field processed by the vulnerable component. The attack requires no authentication but relies on user interaction (e.g., clicking a link) [3]. The CVSS vector indicates the attack is over the network, has low complexity, and requires user interaction (AV:N/AC:L/PR:N/UI:R) [3].
Impact
Successful exploitation leads to partial control of the victim's browsing session within the context of the vulnerable OpenCms application [1][3]. This could allow the attacker to perform actions on behalf of the victim, steal session tokens, or deface content. The impact is limited to confidentiality and integrity at a low level, and the scope is unchanged (U) [3].
Mitigation
The vulnerability has been patched in OpenCms version 16 [3]. Users running versions 14 or 15 of the Mercury template should upgrade to version 16 or later to remediate the issue [3].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.opencms:opencms-coreMaven | >= 14.0.0, < 16.0.0 | 16.0.0 |
Affected products
2- Alkacon/Open CMSv5Range: 14
Patches
1d965c18ac6d2Fixed XSS issue in explorer.
1 file changed · +2 −1
src/org/opencms/ui/components/CmsResourceTable.java+2 −1 modified@@ -61,6 +61,7 @@ import org.opencms.file.CmsPropertyDefinition; import org.opencms.file.CmsResource; import org.opencms.file.types.I_CmsResourceType; +import org.opencms.i18n.CmsEncoder; import org.opencms.main.CmsException; import org.opencms.main.CmsLog; import org.opencms.main.OpenCms; @@ -282,7 +283,7 @@ public String generateDescription(Component source, Object itemId, Object proper } else if (String.class.equals(prop.getType()) || ClassUtils.isPrimitiveOrWrapper(prop.getType())) { Object value = prop.getValue(); if (value != null) { - return "" + value; + return CmsEncoder.escapeXml("" + value); } } }
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4News mentions
0No linked articles in our index yet.