Critical severity9.8NVD Advisory· Published May 5, 2026· Updated May 6, 2026

CVE-2026-38429

Description

OpenCMS v20 and before is vulnerable to XML External Entity (XXE) in the Admin Import DB feature due to insecure XML parsing of user supplied .zip files containing a manifest.xml.

Affected products

Alkacon/Opencms Corereferences

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/alkacon/opencms-core/commit/e3e41e5a96d71383279e7d23c627efc9934008c1nvd

News mentions

No linked articles in our index yet.

cvss	0.637
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000