CVE-2026-2735

UNKNOWN 0.0

Stored Cross-Site Scripting (XSS) vulnerability in Alkacon's OpenCms

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Stored Cross-Site Scripting (XSS) in Alkacon's OpenCms v18.0, which occurs when user input is not properly validated when sending a POST request to ‘/blog/new-article/org.opencms.ugc.CmsUgcEditService.gwt’ using the ‘text’ parameter.

CWE	CWE-79
Vendor	alkacon
Product	opencms
Published	Feb 19, 2026
Last Updated	Feb 20, 2026

Stay Ahead of the Next One

Get instant alerts for alkacon opencms

Be the first to know when new unknown vulnerabilities affecting alkacon opencms are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Alkacon / OpenCms

18.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

incibe.es: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-alkacons-opencms

Credits

Gonzalo Aguilar García (6h4ack)