OpenCMS versions 20 and earlier are affected by an XML External Entity (XXE) flaw in the Admin Import DB feature. The vulnerability arises because the application insecurely parses XML contained within user‑supplied ZIP files that include a manifest.xml. An attacker who can supply a crafted ZIP file can cause the server to resolve external entities, potentially allowing the read of arbitrary files on the system or otherwise exfiltrating sensitive data. The impact is limited to information disclosure, though in vulnerable configurations it could lead to denial of service if the parser is overwhelmed by large or malformed external entities.

The affected product is OpenCMS, release 20 and any prior versions. No specific sub‑product or module is listed beyond the core CMS application.

The EPSS score is not available and the vulnerability is not listed in CISA's KEV catalog. The CVSS score is not provided, but the attack vector is remote and requires an application‑level interaction: the attacker must upload a malicious ZIP file through the Admin Import DB interface, which is typically restricted to administrators. Because the flaw is accessed via the web interface, exploitation is feasible from anywhere with network access to the CMS server. The risk level is moderate to high for environments where the Admin Import DB feature is enabled and accessible to guest or untrusted users.