Description
Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in OpenText Access Manager allows Cross-Site Scripting (XSS).

This issue affects Access Manager: from 5.1 through 5.1.2.
Published: 2026-06-24
Score: 8.2 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This flaw allows an attacker to inject malicious script into a page that is subsequently served to a victim’s browser, enabling data theft, session hijacking, or defacement. The improper neutralization of user input during page generation creates a reflected XSS condition that can be triggered through crafted URLs or form fields. The impact is confined to the browser context but any attacker who succeeds can exfiltrate cookies, identity data, or inject further malware. Based on the description, it is inferred that the attack requires a victim to click a malicious link or submit crafted data to trigger the XSS.

Affected Systems

OpenText Access Manager versions 5.1 through 5.1.2 are vulnerable. No other products or versions are listed as affected.

Risk and Exploitability

The CVSS score of 8.2 indicates a high‑severity flaw, though its EPSS score is not available and it is not listed in the CISA KEV catalog. The vulnerability is a client‑side issue that requires a victim to click a crafted link or submit data, so it is remotely exploitable with user interaction. Based on the description, it is inferred that the vulnerability requires victim interaction to be exploited.

Generated by OpenCVE AI on June 24, 2026 at 15:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the vendor‑provided security update that removes the reflected XSS flaw from Access Manager 5.1 through 5.1.2.
  • If the update cannot be applied immediately, configure strict input validation or reject URL parameters that contain script payloads to reduce the attack surface.
  • Deploy a web‑application firewall rule to block typical reflected XSS payloads and monitor the logs for suspicious activity.

Generated by OpenCVE AI on June 24, 2026 at 15:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Opentext
Opentext access Manager
Vendors & Products Opentext
Opentext access Manager

Wed, 24 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 24 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Description Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in OpenText Access Manager allows Cross-Site Scripting (XSS). This issue affects Access Manager: from 5.1 through 5.1.2.
Title Reflected Cross-Site Scripting vulnerability in OpenText Access Manager
Weaknesses CWE-79
References
Metrics cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N'}

Subscriptions

Opentext Access Manager
cve-icon MITRE

Status: PUBLISHED

Assigner: OpenText

Published:

Updated: 2026-06-24T15:07:17.251Z

Reserved: 2026-06-10T13:20:08.609Z

Link: CVE-2026-11878

cve-icon Vulnrichment

Updated: 2026-06-24T15:07:11.000Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T20:40:46Z

Weaknesses
  • CWE-79

    Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')