CVE-2026-38429CRITICAL 9.8EPSS p21.5%

CVE-2026-38429CVE-2026-38429

Description

OpenCMS v20 and before is vulnerable to XML External Entity (XXE) in the Admin Import DB feature due to insecure XML parsing of user supplied .zip files containing a manifest.xml.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.30% probability of exploitation · percentile 21.5% · 2026-06-19T12:03:05Z
Published2026-05-05
Last modified2026-05-06

Underlying weaknesses· 1

CWE-611

References

  1. https://github.com/alkacon/opencms-core/commit/e3e41e5a96d71383279e7d23c627efc9934008c1

1

TypeTargetConfidenceTier
WeaknessImproper Restriction of XML External Entity Referencecwe-6110%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-41936
CVE
CVE-2026-32985
CVE
Adobe Commerce and Magento Open Source Improper Restriction of XML External Entity Reference (XXE) Vulnerability
CVE
CVE-2026-21389
CVE
CVE-2025-10713
CVE
CVE-2026-22877
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.