Multiple vulnerabilities in Alkacon's OpenCms
Posted date 19/02/2026
Identificador
INCIBE-2026-127
Importance
3 - Medium
Affected Resources
OpenCms, 18.0 version.
Description
INCIBE has coordinated the publication of two medium-severity vulnerabilities affecting OpenCms version 18.0, an open-source content management system based on Java and XML technology, which were discovered by Gonzalo Aguilar García (6h4ack).
These vulnerabilities have been assigned the following codes, CVSS v4.0 base score, CVSS vector, and CWE vulnerability type for each vulnerability:
- CVE-2026-2735: CVSS v4.0: 5.1 | CVSS AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N | CWE-79
- CVE-2026-2736 CVSS v4.0: 5.1 | CVSS AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N | CWE-79
Solution
The vulnerabilities have been fixed by the Alkacon team in version 19.0.
Detail
- CVE-2026-2735: stored Cross-Site Scripting (XSS) in Alkacon's OpenCms v18.0, which occurs when user input is not properly validated when sending a POST request to ‘/blog/new-article/org.opencms.ugc.CmsUgcEditService.gwt’ using the ‘text’ parameter.
- CVE-2026-2736: reflected Cross-site Scripting (XSS) in Alkacon's OpenCms v18.0, which allows an attacker to execute JavaScript code in the victim's browser by sending the victim a malicious URL containing the ‘q’ parameter in ‘/search/index.html’. This vulnerability can be exploited to steal sensitive user information such as session cookies, or to perform actions while impersonating the user.
CVE
| Identificador CVE | Severidad | Explotación | Fabricante |
|---|---|---|---|
| CVE-2026-2735 | Media | No | Alkacon |
| CVE-2026-2736 | Media | No | Alkacon |
References list
Etiquetas
