CVE-2026-38429 — CRITICAL (9.8)

Vulnerability Description

OpenCMS v20 and before is vulnerable to XML External Entity (XXE) in the Admin Import DB feature due to insecure XML parsing of user supplied .zip files containing a manifest.xml.

CVSS Score

9.8

CRITICAL

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

HIGH

Related Weaknesses (CWE)

CWE-611

References

https://github.com/alkacon/opencms-core/commit/e3e41e5a96d71383279e7d23c627efc99

FAQ

What is CVE-2026-38429?

CVE-2026-38429 is a vulnerability with a CVSS score of 9.8 (CRITICAL). OpenCMS v20 and before is vulnerable to XML External Entity (XXE) in the Admin Import DB feature due to insecure XML parsing of user supplied .zip files containing a manifest.xml.

How severe is CVE-2026-38429?

CVE-2026-38429 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.

Is there a patch for CVE-2026-38429?

Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.