CVE-2026-42425
OpenKM 6.3.12 Unrestricted SQL Execution via DatabaseQuery
CVSS Score
7.2
EPSS Score
0.0%
EPSS Percentile
0th
OpenKM 6.3.12 contains an unrestricted SQL execution vulnerability that allows authenticated administrative users to execute arbitrary SQL statements against the application database via the DatabaseQuery interface. Attackers can submit malicious SQL queries through the qs parameter to the /admin/DatabaseQuery endpoint to extract sensitive data including usernames and password hashes from the OKM_USER table, modify permissions, or delete database records.
| CWE | CWE-89 |
| Vendor | openkm |
| Product | openkm community edition |
| Published | May 26, 2026 |
| Last Updated | May 26, 2026 |
Stay Ahead of the Next One
Get instant alerts for openkm openkm community edition
Be the first to know when new high vulnerabilities affecting openkm openkm community edition are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Affected Versions
Openkm / OpenKM Community Edition
0 โค 6.3.12
Openkm / OpenKM Professional Edition
0 โค 7.1.47
References
exploit-db.com: https://www.exploit-db.com/exploits/52520 openkm.com: https://www.openkm.com/ hub.docker.com: https://hub.docker.com/r/openkm/openkm-ce terrasystemlabs.com: https://terrasystemlabs.com/post?slug=openkm-zero-day-vulnerabilities-terra-system-labs github.com: https://github.com/terrasystemlabs/Exploits/tree/main/OpenKM-Exploits github.com: https://github.com/terrasystemlabs/Exploits/tree/main/OpenKM-Exploits/nuclei-templates/openkm-sql-database-query vulncheck.com: https://www.vulncheck.com/advisories/openkm-unrestricted-sql-execution-via-databasequery
Credits
Terra System Labs Pvt. Ltd.