CVE-2024-41446
Description
A stored cross-site scripting (XSS) vulnerability in Alkacon OpenCMS v17.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the image parameter under the Create/Modify article function.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stored XSS in Alkacon OpenCMS v17.0 allows attackers to inject arbitrary scripts via the image parameter in article creation.
A stored cross-site scripting (XSS) vulnerability exists in Alkacon OpenCMS v17.0 [2], specifically within the Create/Modify article function. The flaw allows an attacker to inject arbitrary web scripts or HTML via a crafted payload in the image parameter [1][3].
Exploitation requires the attacker to have access to the article creation or modification interface, typically granted to authenticated users with content editor roles. The injected payload is stored on the server and executed when other users view the affected article [1].
Successful exploitation enables the attacker to execute arbitrary JavaScript in the context of the victim's browser, potentially leading to session hijacking, defacement, or theft of sensitive data [1][3].
As of the latest information, no official patch has been released for this vulnerability. Users are advised to sanitize user-supplied input, particularly the image parameter, and consider applying web application firewall rules to mitigate the risk [1][3].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.opencms:opencms-coreMaven | <= 17.0 | — |
Affected products
3- Alkacon/OpenCMSdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6News mentions
0No linked articles in our index yet.