Description
Stored Cross-Site Scripting (XSS) in Alkacon's OpenCms v18.0, which occurs when user input is not properly validated when sending a POST request to ‘/blog/new-article/org.opencms.ugc.CmsUgcEditService.gwt’ using the ‘text’ parameter.
Published: 2026-02-19
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored XSS
Action: Apply Patch
AI Analysis

Impact

The vulnerability is a stored cross‑site scripting flaw in Alkacon's OpenCms version 18.0, caused when a user’s input in the ‘text’ parameter of a POST request to /blog/new-article/org.opencms.ugc.CmsUgcEditService.gwt is not validated. An attacker could inject script that runs in the browsers of any user who views the affected content, potentially enabling session hijacking, credential theft, defacement, or execution of arbitrary queries on behalf of the site’s users. This flaw is identified as CWE‑79.

Affected Systems

This issue affects Alkacon’s OpenCms product at version 18.0.0, and all 18.x releases that have not been patched. The Alkacon team has released a fix in version 19.0, which removes the vulnerability.

Risk and Exploitability

The flaw has a CVSS score of 5.1, indicating moderate severity. Because the EPSS score is below 1% and the vulnerability is not included in CISA’s KEV catalog, widespread exploitation is unlikely at present. The attack vector is local to the web front‑end, requiring an attacker to supply malicious input through the blog posting interface; however, any user who later views the stored content can be affected. The risk is greatest for sites that allow unauthenticated or publicly editable blog posts.

Generated by OpenCVE AI on April 18, 2026 at 11:50 UTC.

Remediation

Vendor Solution

The vulnerabilities have been fixed by the Alkacon team in version 19.0.

OpenCVE Recommended Actions

  • Update Alkacon OpenCms to version 19.0 to apply the vendor‑supplied fix.
  • Disable or restrict anonymous or unauthenticated blog posting to prevent injection of malicious content.
  • Deploy a web application firewall or input‑validation filter that strips or encodes HTML from the text field before storage.

Generated by OpenCVE AI on April 18, 2026 at 11:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Feb 2026 19:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:alkacon:opencms:18.0.0:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Fri, 20 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Feb 2026 08:45:00 +0000

Type Values Removed Values Added
Description Stored Cross-Site Scripting (XSS) in Alkacon's OpenCms v18.0, which occurs when user input is not properly validated when sending a POST request to ‘/blog/new-article/org.opencms.ugc.CmsUgcEditService.gwt’ using the ‘text’ parameter.
Title Stored Cross-Site Scripting (XSS) vulnerability in Alkacon's OpenCms
First Time appeared Alkacon
Alkacon opencms
Weaknesses CWE-79
CPEs cpe:2.3:a:alkacon:opencms:18.0:*:*:*:*:*:*:*
Vendors & Products Alkacon
Alkacon opencms
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Alkacon Opencms
cve-icon MITRE

Status: PUBLISHED

Assigner: INCIBE

Published:

Updated: 2026-02-20T16:05:26.014Z

Reserved: 2026-02-19T08:18:53.756Z

Link: CVE-2026-2735

cve-icon Vulnrichment

Updated: 2026-02-20T16:05:19.631Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-19T09:16:28.480

Modified: 2026-02-23T19:16:05.077

Link: CVE-2026-2735

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T12:00:05Z

Weaknesses