CVE-2026-2736

Name of the Vulnerable Software and Affected Versions Alkacon OpenCms version 18.0

Description A Reflected Cross-site Scripting (XSS) issue exists in Alkacon's OpenCms version 18.0. This allows an attacker to execute JavaScript code in a user's browser. Exploitation occurs by sending a malicious URL containing the q parameter in the '/search/index.html' endpoint to a victim. Successful exploitation could lead to the theft of sensitive user information, such as session cookies, or allow an attacker to perform actions while impersonating the user.

Recommendations Apply a fix for Alkacon OpenCms version 18.0 to address the reflected XSS issue. As a temporary workaround, sanitize the q parameter in the '/search/index.html' endpoint to prevent the execution of malicious JavaScript code.