openkm 関連製品全体の CVE とセキュリティ脆弱性情報を集約し、CVSS、EPSS、公開日、脆弱性情報データを掲載しています。
過去の問題は主に vendor risk csrf and vendor risk xxe などに関し、一部は vendor impact session compromise を招き、vendor surface production workloads and vendor surface software deployment 関連の場面に影響します。
掲載データは公開脆弱性情報とセキュリティ公告に基づき、過去の暴露面と修補優先度の評価に利用できます。
| CVE | 概要 | ソース | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|---|
| CVE-2025-57244 | OpenKM Community Edition 6.3.12 is vulnerable to stored cross-site scripting (XSS) in the user account creation interface. The Name field accepts script tags and the Email field is vulnerable when the POST request is modified to include encoded script tags, by passing frontend validation. | [email protected] | 5.4 | 0.03% | 2025-11-05 | 2025-11-07 |
| CVE-2024-35475 | A Cross-Site Request Forgery (CSRF) vulnerability was discovered in OpenKM Community Edition on or before version 6.3.12. The vulnerability exists in /admin/DatabaseQuery, which allows an attacker to manipulate a victim with administrative privileges to execute arbitrary SQL commands. | [email protected] | 6.4 | 0.26% | 2024-05-22 | 2025-11-12 |
| CVE-2023-50072 | A Stored Cross-Site Scripting (XSS) vulnerability exists in OpenKM version 7.1.40 (dbb6e88) With Professional Extension that allows an authenticated user to upload a note on a file which acts as a stored XSS payload. Any user who opens the note of a document file will trigger the XSS. | [email protected] | 5.4 | 3.70% | 2024-01-13 | 2025-06-03 |
| CVE-2021-33950 | An issue discovered in OpenKM v6.3.10 allows attackers to obtain sensitive information via the XMLTextExtractor function. | [email protected] | 7.5 | 0.27% | 2023-02-17 | 2025-03-18 |
| CVE-2022-47414 | If an attacker has access to the console for OpenKM (and is authenticated), a stored XSS vulnerability is reachable in the document "note" functionality. | [email protected] | 5.4 | 0.27% | 2023-02-07 | 2025-03-25 |
| CVE-2022-47413 | Given a malicious document provided by an attacker, the OpenKM DMS is vulnerable to a stored (persistent, or "Type II") XSS condition. | [email protected] | 5.4 | 0.26% | 2023-02-07 | 2025-03-25 |
| CVE-2022-3969 | A vulnerability was found in OpenKM up to 6.3.11 and classified as problematic. Affected by this issue is the function getFileExtension of the file src/main/java/com/openkm/util/FileUtils.java. The manipulation leads to insecure temporary file. Upgrading to version 6.3.12 is able to address this issue. The name of the patch is c069e4d73ab8864345c25119d8459495f45453e1. It is recommended to upgrade the affected component. The identifier of this vulnerability is VDB-213548. | [email protected] | 2.6 | 0.09% | 2022-11-13 | 2024-11-21 |
| CVE-2022-40317 | OpenKM 6.3.11 allows stored XSS related to the javascript: substring in an A element. | [email protected] | 5.4 | 2.77% | 2022-09-09 | 2024-11-21 |
| CVE-2022-2131 | OpenKM Community Edition in its 6.3.10 version and before was using XMLReader parser in XMLTextExtractor.java file without the required security flags, allowing an attacker to perform a XML external entity injection attack. | [email protected] | 8.5 | 0.28% | 2022-07-25 | 2024-11-21 |
| CVE-2021-3628 | OpenKM Community Edition in its 6.3.10 version is vulnerable to authenticated Cross-site scripting (XSS). A remote attacker could exploit this vulnerability by injecting arbitrary code via de uuid parameter. | [email protected] | 4.6 | 0.26% | 2021-08-30 | 2024-11-21 |
| CVE-2019-11445 | OpenKM 6.3.2 through 6.3.7 allows an attacker to upload a malicious JSP file into the /okm:root directories and move that file to the home directory of the site, via frontend/FileUpload and admin/repository_export.jsp. This is achieved by interfering with the Filesystem path control in the admin's Export field. As a result, attackers can gain remote code execution through the application server with root privileges. | [email protected] | 7.2 | 20.91% | 2019-04-22 | 2024-11-21 |
| CVE-2014-8957 | Cross-site scripting (XSS) vulnerability in OpenKM before 6.4.19 allows remote authenticated users to inject arbitrary web script or HTML via the Tasks parameter. | [email protected] | 5.4 | 0.20% | 2017-10-06 | 2026-05-13 |
| CVE-2014-9017 | Cross-site scripting (XSS) vulnerability in OpenKM before 6.4.19 (build 23338) allows remote authenticated users to inject arbitrary web script or HTML via the Subject field in a Task to frontend/index.jsp. | [email protected] | 3.5 | 0.29% | 2015-03-11 | 2026-05-06 |
| CVE-2012-2316 | Cross-site request forgery (CSRF) vulnerability in servlet/admin/AuthServlet.java in OpenKM 5.1.7 and other versions before 5.1.8-2 allows remote attackers to hijack the authentication of administrators for requests that execute arbitrary code via the script parameter to admin/scripting.jsp. | [email protected] | 6.8 | 2.12% | 2012-09-09 | 2026-04-29 |
| CVE-2012-2315 | admin/Auth in OpenKM 5.1.7 and other versions before 5.1.8-2 does not properly enforce privileges for changing user roles, which allows remote authenticated users to assign administrator privileges to arbitrary users via the userEdit action. | [email protected] | 4.0 | 7.21% | 2012-09-09 | 2026-04-29 |
| CVE-2008-2226 | Unspecified vulnerability in the export feature in OpenKM before 2.0 allows remote attackers to export arbitrary documents via unspecified vectors. NOTE: some of these details are obtained from third party information. | [email protected] | 5.0 | 0.32% | 2008-05-14 | 2026-04-23 |