CVE-2026-41917 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2026-41917

CVE-2026-41917

Published:May 26, 2026

Updated:June 11, 2026

OpenKM 6.3.12 contains a local file inclusion vulnerability in the administrative scripting interface at /admin/Scripting that allows authenticated administrators to read arbitrary files by supplying an attacker-controlled filesystem path through the fsPath parameter with action=Load. Attackers can exploit this to access sensitive files including /etc/passwd, configuration files containing database credentials, and JVM keystores accessible to the OpenKM process.

Affected Packages

https://github.com/openkm/document-management-system.git (GITHUB):

Affected version(s) >=v6.3.3 <v6.3.13

Fix Suggestion:

Update to version v6.3.13

Related Resources (7)

https://github.com/terrasystemlabs/Exploits/tree/main/OpenKM-Exploits/nuclei-templates/openkm-local-file-execution

https://www.vulncheck.com/advisories/openkm-local-file-inclusion-via-admin-scripting

https://github.com/terrasystemlabs/Exploits/tree/main/OpenKM-Exploits

https://www.exploit-db.com/exploits/52520

https://terrasystemlabs.com/post?slug=openkm-zero-day-vulnerabilities-terra-system-labs

https://www.openkm.com/

https://hub.docker.com/r/openkm/openkm-ce

Do you need more information?

CVSS v4

Base Score:

6.9

Attack Vector

NETWORK

Attack Complexity

LOW

Attack Requirements

NONE

Privileges Required

HIGH

User Interaction

NONE

Vulnerable System Confidentiality

HIGH

Vulnerable System Integrity

NONE

Vulnerable System Availability

NONE

Subsequent System Confidentiality

NONE

Subsequent System Integrity

NONE

Subsequent System Availability

NONE

CVSS v3

Base Score:

4.9

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

HIGH

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

NONE

Availability

NONE

Weakness Type (CWE)

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-22

EPSS

Base Score:

0.06