CVE-2026-38429

Name of the Vulnerable Software and Affected Versions OpenCMS versions prior to 21

Description The Admin Import DB feature is susceptible to XML External Entity (XXE), a flaw where an application processes XML input containing a reference to an external entity, potentially allowing unauthorized access to files or internal systems. This occurs due to insecure XML parsing of user-supplied .zip files that contain a manifest.xml file.

Recommendations Update to a version later than v20. As a temporary workaround, restrict the use of the Admin Import DB feature or avoid importing .zip files from untrusted sources.