Description
Reflected Cross-site Scripting (XSS) in Alkacon's OpenCms v18.0, which allows an attacker to execute JavaScript code in the victim's browser by sending the victim a malicious URL containing the ‘q’ parameter in ‘/search/index.html’. This vulnerability can be exploited to steal sensitive user information such as session cookies, or to perform actions while impersonating the user.
Published: 2026-02-19
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Cross‑Site Scripting (XSS)
Action: Patch
AI Analysis

Impact

A reflected Cross‑Site Scripting flaw exists in Alkacon OpenCms 18.x, triggered by the 'q' query parameter in the /search/index.html page. The attacker can embed malicious JavaScript in a crafted URL that executes in the victim’s browser, allowing the theft of session cookies and impersonation of the user.

Affected Systems

Alkacon’s OpenCms versions 18.0.0 and 18.0 are vulnerable; any deployment running these releases without the fix is exposed.

Risk and Exploitability

The CVSS base score of 5.1 indicates moderate severity, while the EPSS of <1 % suggests a low likelihood of exploitation, and the flaw is not listed in CISA's catalog of known exploited vulnerabilities. Exploitation requires only a malicious URL sent to a target, with no authentication or privileged access needed. If exploited, attackers can hijack sessions and perform actions as the victim, representing a medium threat to users who rely on the public search functionality.

Generated by OpenCVE AI on April 17, 2026 at 18:10 UTC.

Remediation

Vendor Solution

The vulnerabilities have been fixed by the Alkacon team in version 19.0.

OpenCVE Recommended Actions

  • Upgrade Alkacon OpenCms to version 19.0 or later, which contains the fixed code for the search endpoint.
  • Validate and encode all input parameters, especially the 'q' query string, before rendering to prevent reflected XSS.
  • Restrict or disable public access to the /search/index.html page, ensuring only authenticated users can use the search feature.
  • Consider deploying a web application firewall rule that blocks suspicious XSS payloads targeting the search parameter.

Generated by OpenCVE AI on April 17, 2026 at 18:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Feb 2026 19:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:alkacon:opencms:18.0.0:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 6.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N'}

Sat, 21 Feb 2026 07:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 19 Feb 2026 08:45:00 +0000

Type Values Removed Values Added
Description Reflected Cross-site Scripting (XSS) in Alkacon's OpenCms v18.0, which allows an attacker to execute JavaScript code in the victim's browser by sending the victim a malicious URL containing the ‘q’ parameter in ‘/search/index.html’. This vulnerability can be exploited to steal sensitive user information such as session cookies, or to perform actions while impersonating the user.
Title Reflected Cross-Site Scripting (XSS) vulnerability in Alkacon's OpenCms
First Time appeared Alkacon
Alkacon opencms
Weaknesses CWE-79
CPEs cpe:2.3:a:alkacon:opencms:18.0:*:*:*:*:*:*:*
Vendors & Products Alkacon
Alkacon opencms
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N'}

Subscriptions

Alkacon Opencms
cve-icon MITRE

Status: PUBLISHED

Assigner: INCIBE

Published:

Updated: 2026-03-09T08:54:49.983Z

Reserved: 2026-02-19T08:18:54.936Z

Link: CVE-2026-2736

cve-icon Vulnrichment

Updated: 2026-02-20T16:06:12.948Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-19T09:16:28.657

Modified: 2026-02-23T19:15:32.627

Link: CVE-2026-2736

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T18:15:26Z

Weaknesses