CVE-2023-42346
Deferred Deferred - Pending Action
XXE Vulnerability in Alkacon OpenCms

Publication date: 2026-05-08

Last updated on: 2026-05-11

Assigner: MITRE

Description
Alkacon OpenCms before 16 allows XXE when the <!DOCTYPE> refers to an external host.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-08
Last Modified
2026-05-11
Generated
2026-06-19
AI Q&A
2026-05-08
EPSS Evaluated
2026-06-18
NVD
CVE-2023-42346
EUVD
EUVD-2023-46799
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
alkacon opencms to 16 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-611 The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Alkacon OpenCms versions before 16 and involves an XML External Entity (XXE) attack. It occurs when the <!DOCTYPE> declaration in an XML document refers to an external host, allowing an attacker to exploit the system by processing external entities.

Impact Analysis

An XXE vulnerability can allow attackers to read sensitive files, perform server-side request forgery (SSRF), or cause denial of service by exploiting the XML parser's handling of external entities. This can lead to unauthorized data access or disruption of service.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2023-42346. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart