Primary

Context

OpenCMS XML External Entity Vulnerability in Admin Import DB Feature

Vulnerability

A vulnerability allowing XML External Entity (XXE) attacks has been identified in OpenCMS versions through 20. The issue arises in the Admin Import DB feature, where user-supplied .zip files containing a manifest.xml are processed without adequate security, enabling the exploitation of XXE.

Impact

Exploitation of this vulnerability allows for XML External Entity attacks, which can lead to the disclosure of internal files, and in some cases, the execution of arbitrary code or a denial-of-service condition.

Reproduction

To reproduce this vulnerability, upload a .zip file containing a crafted manifest.xml that exploits the XXE vulnerability by referencing an external entity. The vulnerable OpenCMS version must be 20 or prior.

Remediation

Users can update to OpenCMS version 21.0.1 or later, where this vulnerability has been fixed.

Added: May 5, 2026, 5:21 PM

Updated: May 5, 2026, 5:21 PM

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

0.6

exploitability

7.4

remediation

0.0

relevance

7.5

threat

4.8

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

0.6

exploitability

7.4

remediation

0.0

relevance

7.5

threat

4.8

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

OpenCMS XML External Entity Vulnerability in Admin Import DB Feature

Vulnerability

Impact

Reproduction

Remediation

Affected Products

alkacon OpenCMS

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating