This vulnerability enables a remote attacker, without authentication, to trigger an XML External Entity resolution against the cmis-online/query endpoint of the Chemistry servlet in Alkacon OpenCms. If successful, the attacker can read files or data accessible to the application’s process, potentially revealing passwords, configuration files, or other sensitive information. The weakness falls under XML External Entity (XXE) vulnerabilities, which allow disclosure of internal data and compromise application confidentiality.

OpenCms installations powered by Alkacon prior to version 10.5.1 are impacted. The chemistry servlet and CMIS services form the attack surface; the vulnerability specifically targets the query functionality exposed through cmis-online/query.

The CVSS score is 7.3, but the EPSS score of 8% shows a moderate yet non-zero probability of exploitation, indicating that although not extremely common, the vulnerability is still considered actionable. The CVE is not listed in CISA's KEV catalog, indicating no publicly documented exploitation yet. The attack vector would typically be an HTTP request constructed to include an external entity reference, which, if the XML parser allows it, results in the application leaking requested data. Because no authentication is required, the logic path is open to anyone able to reach the exposed endpoint.