CVE-2026-2736

UNKNOWN 0.0

Reflected Cross-Site Scripting (XSS) vulnerability in Alkacon's OpenCms

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Reflected Cross-site Scripting (XSS) in Alkacon's OpenCms v18.0, which allows an attacker to execute JavaScript code in the victim's browser by sending the victim a malicious URL containing the ‘q’ parameter in ‘/search/index.html’. This vulnerability can be exploited to steal sensitive user information such as session cookies, or to perform actions while impersonating the user.

CWE	CWE-79
Vendor	alkacon
Product	opencms
Published	Feb 19, 2026
Last Updated	Mar 9, 2026

Stay Ahead of the Next One

Get instant alerts for alkacon opencms

Be the first to know when new unknown vulnerabilities affecting alkacon opencms are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

Alkacon / OpenCms

18.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

incibe.es: https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-alkacons-opencms

Credits

Gonzalo Aguilar García (6h4ack)