Alkacon OpenCms allows remote unauthenticated attackers to obtain sensitive information

GHSA-rcc6-6q2f-m2cw · CVE-2023-42344

Published May 8, 2026 · Modified May 14, 2026

Description

Alkacon OpenCms before 10.5.1 allows remote unauthenticated attackers to obtain sensitive information via a cmis-online/query XXE attack on a Chemistry servlet.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2023-42344
WEB https://github.com/projectdiscovery/nuclei-templates/issues/8864
PACKAGE https://github.com/alkacon/opencms-core
WEB https://labs.watchtowr.com/xxe-you-can-depend-on-me-opencms

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes