CVE-2026-38429
XML External Entity Injection in OpenCMS
Publication date: 2026-05-05
Last updated on: 2026-05-06
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| opencms | opencms | 20 |
| alkacon | opencms | to 20 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-611 | The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves XML External Entity (XXE) processing in the Admin Import DB feature of OpenCMS v20 and earlier when importing .zip files containing a manifest.xml. Detection typically involves monitoring or testing the XML parsing behavior during import operations.
To detect if your system is vulnerable, you can attempt to import a crafted .zip file with a malicious manifest.xml that tries to exploit XXE. Observing unexpected outbound network requests or error messages related to external entity resolution can indicate vulnerability.
There are no specific commands provided in the available resources, but general approaches include:
- Using network monitoring tools (e.g., tcpdump, Wireshark) to detect unexpected external requests during import.
- Using XML parsing testing tools or scripts that send crafted XML payloads with external entities to the import feature.
- Reviewing application logs for errors or warnings related to XML entity resolution.
Can you explain this vulnerability to me?
The vulnerability in OpenCMS v20 and earlier versions is an XML External Entity (XXE) attack that occurs in the Admin Import DB feature. It arises because the software insecurely parses user-supplied .zip files containing a manifest.xml file. This insecure XML parsing allows an attacker to exploit the XML processing to potentially access or manipulate external entities.
How can this vulnerability impact me? :
This XXE vulnerability can allow an attacker to read arbitrary files on the server, cause denial of service, or potentially execute other malicious actions by exploiting the XML parser's handling of external entities during the import process. This can lead to unauthorized data disclosure or disruption of the OpenCMS service.
What immediate steps should I take to mitigate this vulnerability?
To mitigate the XML External Entity (XXE) vulnerability in OpenCMS v20 and earlier, you should apply the fix that modifies the XML parsing process in the import feature.
- Update the OpenCMS-core software to include the changes made in the commit with hash e3e41e5.
- Ensure that the XML parser uses the CmsXmlEntityResolver class to properly resolve XML entities and prevent XXE attacks.
- Avoid importing untrusted or unauthenticated .zip files containing manifest.xml until the fix is applied.