A flaw in the updateModelGroups.jsp page of Alkacon OpenCms allows an attacker to inject arbitrary client‑side script code into pages rendered to other users. This vulnerability can lead to session hijacking, credential theft, or the execution of malicious actions within a victim’s browser context. The weakness lies in insufficient filtering of user‑controlled input before it is displayed, a classic Cross‑Site Scripting problem.

Alkacon OpenCms versions released prior to 16 are affected. No specific patch version is listed in the advisory, so any deployment of OpenCms before the 16 release should be treated as vulnerable.

The severity has not been quantified in the CVE entry, and no EPSS value is available, but the issue is a client-side vulnerability that can be triggered via a web request to the vulnerable page. Because the payload is delivered to browsers, the vector is likely network‑based and can be abused by anyone able to send HTTP requests to the web application. The vulnerability is not listed in CISA’s KEV catalog, suggesting it has not been widely exploited publicly at the time of this analysis.