CVE-2026-42425

Name of the Vulnerable Software and Affected Versions OpenKM version 6.3.12

Description Authenticated administrative users can execute arbitrary SQL statements against the application database through the DatabaseQuery interface. By submitting malicious SQL queries via the qs parameter to the '/admin/DatabaseQuery' endpoint, an attacker can extract sensitive data from the OKM USER table, such as usernames and password hashes, modify permissions, or delete database records.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.