GHSA-rcc6-6q2f-m2cw

Source

https://github.com/advisories/GHSA-rcc6-6q2f-m2cw

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-rcc6-6q2f-m2cw/GHSA-rcc6-6q2f-m2cw.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-rcc6-6q2f-m2cw

Aliases

CVE-2023-42344

Published

2026-05-08T06:32:37Z

Modified

2026-05-14T13:25:14.205018Z

Severity

7.3 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L CVSS Calculator

Summary

Alkacon OpenCms allows remote unauthenticated attackers to obtain sensitive information

Details

Alkacon OpenCms before 10.5.1 allows remote unauthenticated attackers to obtain sensitive information via a cmis-online/query XXE attack on a Chemistry servlet.

Database specific

{
    "cwe_ids": [
        "CWE-611"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-05-14T13:05:13Z",
    "nvd_published_at": "2026-05-08T05:16:09Z",
    "severity": "HIGH"
}

References

Affected packages

Maven / org.opencms:opencms-core

Package

Name: org.opencms:opencms-core; View open source insights on deps.dev
Purl: pkg:maven/org.opencms/opencms-core

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

10.5.1

Affected versions

8.*

8.0.1

8.0.2

8.0.3

8.0.3-rev

8.0.3.1

8.0.4

8.5.0

8.5.1

8.5.2

9.*

9.0.0

9.0.1

9.5.0

9.5.1

9.5.2

9.5.3

10.*

10.0.0

10.0.1

10.5.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-rcc6-6q2f-m2cw/GHSA-rcc6-6q2f-m2cw.json"