CVE-2026-41917

Name of the Vulnerable Software and Affected Versions OpenKM version 6.3.12

Description A local file inclusion issue exists in the administrative scripting interface at the '/admin/Scripting' endpoint. Authenticated administrators can read arbitrary files by providing a controlled filesystem path through the fsPath parameter when using action=Load. This allows access to sensitive data, such as the /etc/passwd file, configuration files containing database credentials, and JVM keystores accessible to the process.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.