CVE-2026-38429
Deferred Deferred - Pending Action
XML External Entity Injection in OpenCMS

Publication date: 2026-05-05

Last updated on: 2026-05-06

Assigner: MITRE

Description
OpenCMS v20 and before is vulnerable to XML External Entity (XXE) in the Admin Import DB feature due to insecure XML parsing of user supplied .zip files containing a manifest.xml.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-05
Last Modified
2026-05-06
Generated
2026-06-16
AI Q&A
2026-05-05
EPSS Evaluated
2026-06-15
NVD
CVE-2026-38429
EUVD
EUVD-2026-27401
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
opencms opencms 20
alkacon opencms to 20 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-611 The product processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability in OpenCMS v20 and earlier versions is an XML External Entity (XXE) attack that occurs in the Admin Import DB feature. It arises because the software insecurely parses user-supplied .zip files containing a manifest.xml file. This insecure XML parsing allows an attacker to exploit the XML processing to potentially access or manipulate external entities.

Impact Analysis

This XXE vulnerability can allow an attacker to read arbitrary files on the server, cause denial of service, or potentially execute other malicious actions by exploiting the XML parser's handling of external entities during the import process. This can lead to unauthorized data disclosure or disruption of the OpenCMS service.

Mitigation Strategies

To mitigate the XML External Entity (XXE) vulnerability in OpenCMS v20 and earlier, you should apply the fix that modifies the XML parsing process in the import feature.

  • Update the OpenCMS-core software to include the changes made in the commit with hash e3e41e5.
  • Ensure that the XML parser uses the CmsXmlEntityResolver class to properly resolve XML entities and prevent XXE attacks.
  • Avoid importing untrusted or unauthenticated .zip files containing manifest.xml until the fix is applied.
Detection Guidance

This vulnerability involves XML External Entity (XXE) processing in the Admin Import DB feature of OpenCMS v20 and earlier when importing .zip files containing a manifest.xml. Detection typically involves monitoring or testing the XML parsing behavior during import operations.

To detect if your system is vulnerable, you can attempt to import a crafted .zip file with a malicious manifest.xml that tries to exploit XXE. Observing unexpected outbound network requests or error messages related to external entity resolution can indicate vulnerability.

There are no specific commands provided in the available resources, but general approaches include:

  • Using network monitoring tools (e.g., tcpdump, Wireshark) to detect unexpected external requests during import.
  • Using XML parsing testing tools or scripts that send crafted XML payloads with external entities to the import feature.
  • Reviewing application logs for errors or warnings related to XML entity resolution.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-38429. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart