216.73.217.64

CVE-2026-42425

· Published 26/05/2026 15:16 · Modified 26/05/2026 19:47

Labels: CVE-2026-42425 2026-05-26CVE-2026-42425CWE-89[email protected]

Essential information

Published
26/05/2026 15:16
Modified
26/05/2026 19:47
Author
Creator
CVSS
8.6 HIGH (v3) 8.6 HIGH (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

OpenKM 6.3.12 contains an unrestricted SQL execution vulnerability that allows authenticated administrative users to execute arbitrary SQL statements against the application database via the DatabaseQuery interface. Attackers can submit malicious SQL queries through the qs parameter to the /admin/DatabaseQuery endpoint to extract sensitive data including usernames and password hashes from the OKM_USER table, modify permissions, or delete database records.

NVD status

Status
Deferred — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
openkm / openkm cpe:2.3:a:openkm:openkm:6.3.12:*:*:*:*:*:*:*

References