VYPR

Openkm

by Openkm

Source repositories

CVEs (16)

  • CVE-2026-42785HigMay 26, 2026
    risk 0.47cvss 7.2epss 0.01

    OpenKM 6.3.12 contains a remote code execution vulnerability that allows authenticated administrators to execute arbitrary Java/BeanShell code through the /admin/Scripting endpoint. Attackers can submit malicious script content with an action=Evaluate parameter to execute…

  • CVE-2026-42425HigMay 26, 2026
    risk 0.47cvss 7.2epss 0.01

    OpenKM 6.3.12 contains an unrestricted SQL execution vulnerability that allows authenticated administrative users to execute arbitrary SQL statements against the application database via the DatabaseQuery interface. Attackers can submit malicious SQL queries through the qs…

  • CVE-2014-8957MedOct 6, 2017
    risk 0.35cvss 5.4epss 0.01

    Cross-site scripting (XSS) vulnerability in OpenKM before 6.4.19 allows remote authenticated users to inject arbitrary web script or HTML via the Tasks parameter.

  • CVE-2026-41917MedMay 26, 2026
    risk 0.25cvss 4.9epss 0.00

    OpenKM 6.3.12 contains a local file inclusion vulnerability in the administrative scripting interface at /admin/Scripting that allows authenticated administrators to read arbitrary files by supplying an attacker-controlled filesystem path through the fsPath parameter with…

  • CVE-2019-11445Apr 22, 2019
    risk 0.05cvss epss 0.14

    OpenKM 6.3.2 through 6.3.7 allows an attacker to upload a malicious JSP file into the /okm:root directories and move that file to the home directory of the site, via frontend/FileUpload and admin/repository_export.jsp. This is achieved by interfering with the Filesystem path…

  • CVE-2012-2316Sep 9, 2012
    risk 0.03cvss epss 0.04

    Cross-site request forgery (CSRF) vulnerability in servlet/admin/AuthServlet.java in OpenKM 5.1.7 and other versions before 5.1.8-2 allows remote attackers to hijack the authentication of administrators for requests that execute arbitrary code via the script parameter to…

  • CVE-2012-2315Sep 9, 2012
    risk 0.03cvss epss 0.06

    admin/Auth in OpenKM 5.1.7 and other versions before 5.1.8-2 does not properly enforce privileges for changing user roles, which allows remote authenticated users to assign administrator privileges to arbitrary users via the userEdit action.

  • CVE-2024-35475May 22, 2024
    risk 0.00cvss epss 0.00

    A Cross-Site Request Forgery (CSRF) vulnerability was discovered in OpenKM Community Edition on or before version 6.3.12. The vulnerability exists in /admin/DatabaseQuery, which allows an attacker to manipulate a victim with administrative privileges to execute arbitrary SQL…

  • CVE-2023-50072Jan 13, 2024
    risk 0.00cvss epss 0.01

    A Stored Cross-Site Scripting (XSS) vulnerability exists in OpenKM version 7.1.40 (dbb6e88) With Professional Extension that allows an authenticated user to upload a note on a file which acts as a stored XSS payload. Any user who opens the note of a document file will trigger…

  • CVE-2021-33950Feb 17, 2023
    risk 0.00cvss epss 0.01

    An issue discovered in OpenKM v6.3.10 allows attackers to obtain sensitive information via the XMLTextExtractor function.

  • CVE-2022-47414Feb 7, 2023
    risk 0.00cvss epss 0.01

    If an attacker has access to the console for OpenKM (and is authenticated), a stored XSS vulnerability is reachable in the document "note" functionality.

  • CVE-2022-47413Feb 7, 2023
    risk 0.00cvss epss 0.01

    Given a malicious document provided by an attacker, the OpenKM DMS is vulnerable to a stored (persistent, or "Type II") XSS condition.

  • CVE-2022-3969Nov 13, 2022
    risk 0.00cvss epss 0.01

    A vulnerability was found in OpenKM up to 6.3.11 and classified as problematic. Affected by this issue is the function getFileExtension of the file src/main/java/com/openkm/util/FileUtils.java. The manipulation leads to insecure temporary file. Upgrading to version 6.3.12 is…

  • CVE-2022-40317Sep 9, 2022
    risk 0.00cvss epss 0.01

    OpenKM 6.3.11 allows stored XSS related to the javascript: substring in an A element.

  • CVE-2014-9017Mar 11, 2015
    risk 0.00cvss epss 0.02

    Cross-site scripting (XSS) vulnerability in OpenKM before 6.4.19 (build 23338) allows remote authenticated users to inject arbitrary web script or HTML via the Subject field in a Task to frontend/index.jsp.

  • CVE-2008-2226May 14, 2008
    risk 0.00cvss epss 0.01

    Unspecified vulnerability in the export feature in OpenKM before 2.0 allows remote attackers to export arbitrary documents via unspecified vectors. NOTE: some of these details are obtained from third party information.