6.9
/ 10
MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Description
OpenKM 6.3.12 contains a local file inclusion vulnerability in the administrative scripting interface at /admin/Scripting that allows authenticated administrators to read arbitrary files by supplying an attacker-controlled filesystem path through the fsPath parameter with action=Load. Attackers can exploit this to access sensitive files including /etc/passwd, configuration files containing database credentials, and JVM keystores accessible to the OpenKM process.
Basic Information
ID
CVE-2026-41917
Source
VulnCheck
Published
May 26, 2026 at 14:08
Affected Product
Vendor
Openkm
Product
OpenKM Community Edition
Affected Versions
Openkm OpenKM Community Edition 0
Openkm OpenKM Professional Edition 0
Openkm OpenKM Professional Edition 0
CWE Classification
References
- www.exploit-db.com /exploits/52520
- www.openkm.com /
- hub.docker.com /r/openkm/openkm-ce
- terrasystemlabs.com /post
- github.com /terrasystemlabs/Exploits/tree/main/OpenKM-Exploits
- github.com /terrasystemlabs/Exploits/tree/main/OpenKM-Exploits/nuclei-templates/openkm-local-file-execution
- www.vulncheck.com /advisories/openkm-local-file-inclusion-via-admin-scripting