Based on the description, it is inferred that Alkacon OpenCms versions prior to 16 incorrectly process XML documents that contain a DOCTYPE declaration pointing to an external host, enabling a malicious actor to embed external entity references. The server resolves these entities, which can lead to unauthorized file reads, server‑side request forgery, and a foothold for code execution. This weakness corresponds to XML External Entity (XXE) and is classified as CWE-611. The impact is the disclosure of confidential information, potential service disruption, and facilitation of further exploitation.

Alkacon OpenCms installations running any version earlier than 16. Because no specific version list is supplied, all releases before 16 are considered vulnerable and should be verified for the presence of the flaw.

The CVSS score is not provided, and no EPSS data is available, indicating that the vulnerability has not been widely reported or measured in real‑world exploitation yet. Based on the description, it is inferred that the flaw can be triggered remotely through the XML processing interface if the application accepts XML input from unauthenticated or poorly authenticated users, and that remote code execution is a potential risk depending on application behavior. The ability to read arbitrary files and reach external hosts makes the potential impact high. Immediate assessment and mitigation are recommended even though the vulnerability is not yet listed in CISA’s KEV catalog.