CVE-2023-42346
Deferred Deferred - Pending Action

XXE Vulnerability in Alkacon OpenCms

Vulnerability report for CVE-2023-42346, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-05-08

Last updated on: 2026-05-11

Assigner: MITRE

Description

Alkacon OpenCms before 16 allows XXE when the <!DOCTYPE> refers to an external host.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-05-08
Last Modified
2026-05-11
Generated
2026-07-09
AI Q&A
2026-05-08
EPSS Evaluated
2026-07-08
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
alkacon opencms to 16 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-611 The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in Alkacon OpenCms versions before 16 and involves an XML External Entity (XXE) attack. It occurs when the <!DOCTYPE> declaration in an XML document refers to an external host, allowing an attacker to exploit the system by processing external entities.

Impact Analysis

An XXE vulnerability can allow attackers to read sensitive files, perform server-side request forgery (SSRF), or cause denial of service by exploiting the XML parser's handling of external entities. This can lead to unauthorized data access or disruption of service.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2023-42346. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart