Description
OpenKM 6.3.12 contains a remote code execution vulnerability that allows authenticated administrators to execute arbitrary Java/BeanShell code through the /admin/Scripting endpoint. Attackers can submit malicious script content with an action=Evaluate parameter to execute operating system commands in the context of the OpenKM application server.
Published: 2026-05-26
Score: 8.6 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in OpenKM 6.3.12 allows an authenticated administrator to send arbitrary Java/BeanShell code to the /admin/Scripting endpoint using the action=Evaluate parameter. The vulnerability is a code injection weakness (CWE-94) that lets the malicious script execute operating system commands in the application server context, giving an attacker unrestricted control over the affected host.

Affected Systems

OpenKM Community Edition and OpenKM Professional Edition, specifically version 6.3.12. No other versions are listed as affected.

Risk and Exploitability

The CVSS score of 8.6 indicates a high severity risk. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Attackers must first authenticate with administrative credentials; once authenticated, they can run arbitrary code on the server via the scripting endpoint, compromising confidentiality, integrity, and availability of the system.

Generated by OpenCVE AI on May 26, 2026 at 15:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest OpenKM release that includes the patch for the scripting flaw.
  • Disable or restrict access to the /admin/Scripting endpoint and the Evaluate action if they are not required for business operations.
  • Enforce strong administrator authentication, such as multi‑factor authentication, and limit the number of administrative accounts.

Generated by OpenCVE AI on May 26, 2026 at 15:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Openkm openkm Community Edition
Openkm openkm Professional Edition
Vendors & Products Openkm openkm Community Edition
Openkm openkm Professional Edition

Tue, 26 May 2026 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 26 May 2026 14:30:00 +0000

Type Values Removed Values Added
Description OpenKM 6.3.12 contains a remote code execution vulnerability that allows authenticated administrators to execute arbitrary Java/BeanShell code through the /admin/Scripting endpoint. Attackers can submit malicious script content with an action=Evaluate parameter to execute operating system commands in the context of the OpenKM application server.
Title OpenKM 6.3.12 Remote Code Execution via Administrative Scripting
First Time appeared Openkm
Openkm openkm
Weaknesses CWE-94
CPEs cpe:2.3:a:openkm:openkm:*:*:*:*:community:*:*:*
cpe:2.3:a:openkm:openkm:*:*:*:*:professional:*:*:*
Vendors & Products Openkm
Openkm openkm
References
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Openkm Openkm Openkm Community Edition Openkm Professional Edition
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-26T16:20:15.493Z

Reserved: 2026-04-29T15:52:17.950Z

Link: CVE-2026-42785

cve-icon Vulnrichment

Updated: 2026-05-26T16:20:12.548Z

cve-icon NVD

Status : Deferred

Published: 2026-05-26T15:16:38.023

Modified: 2026-05-26T19:47:48.987

Link: CVE-2026-42785

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T10:05:05Z

Weaknesses
  • CWE-94

    Improper Control of Generation of Code ('Code Injection')