CVE-2026-41917
Severity CVSS v4.0:
MEDIUM
Type:
CWE-22
Path Traversal
Publication date:
26/05/2026
Last modified:
26/05/2026
Description
OpenKM 6.3.12 contains a local file inclusion vulnerability in the administrative scripting interface at /admin/Scripting that allows authenticated administrators to read arbitrary files by supplying an attacker-controlled filesystem path through the fsPath parameter with action=Load. Attackers can exploit this to access sensitive files including /etc/passwd, configuration files containing database credentials, and JVM keystores accessible to the OpenKM process.
Impact
Base Score 4.0
6.90
Severity 4.0
MEDIUM
Base Score 3.x
4.90
Severity 3.x
MEDIUM
References to Advisories, Solutions, and Tools
- https://github.com/terrasystemlabs/Exploits/tree/main/OpenKM-Exploits
- https://github.com/terrasystemlabs/Exploits/tree/main/OpenKM-Exploits/nuclei-templates/openkm-local-file-execution
- https://hub.docker.com/r/openkm/openkm-ce
- https://terrasystemlabs.com/post?slug=openkm-zero-day-vulnerabilities-terra-system-labs
- https://www.exploit-db.com/exploits/52520
- https://www.openkm.com/
- https://www.vulncheck.com/advisories/openkm-local-file-inclusion-via-admin-scripting



