CVE-2026-2735

Name of the Vulnerable Software and Affected Versions Alkacon OpenCms version 18.0

Description A stored Cross-Site Scripting (XSS) issue exists in Alkacon OpenCms version 18.0. The issue occurs because user-supplied data is not adequately validated when a POST request is sent to the following API endpoint: /blog/new-article/org.opencms.ugc.CmsUgcEditService.gwt. The vulnerable parameter is text. This allows an attacker to inject malicious scripts that will be executed in the context of other users' browsers.

Recommendations Apply input validation to the text parameter when processing POST requests to the /blog/new-article/org.opencms.ugc.CmsUgcEditService.gwt endpoint.