CVE-2026-41917
OpenKM 6.3.12 Local File Inclusion via Admin Scripting
Vexday Risk Score
33Attention
SSVC decision (CISA)
Attend
PoC available → attend closely
CVSS 6.9EPSS 0.4%KEV nãoPoC públicaNuclei —Metasploit —Patch referenciado
Lifecycle
26 May 2026Published on NVD
Recommendation: Plan a near-term fix — a public PoC already exists.
OpenKM 6.3.12 contains a local file inclusion vulnerability in the administrative scripting interface at /admin/Scripting that allows authenticated administrators to read arbitrary files by supplying an attacker-controlled filesystem path through the fsPath parameter with action=Load. Attackers can exploit this to access sensitive files including /etc/passwd, configuration files containing database credentials, and JVM keystores accessible to the OpenKM process.
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
public PoCs found — 1
cve_referencewww.exploit-db.com/exploits/52520unverified⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.
Want to know if your infrastructure is exposed to this?
Talk to TrueHacking →References
https://github.com/terrasystemlabs/Exploits/tree/main/OpenKM-Exploitshttps://github.com/terrasystemlabs/Exploits/tree/main/OpenKM-Exploits/nuclei-templates/openkm-local-file-executionhttps://hub.docker.com/r/openkm/openkm-cehttps://terrasystemlabs.com/post?slug=openkm-zero-day-vulnerabilities-terra-system-labshttps://www.exploit-db.com/exploits/52520https://www.openkm.com/https://www.vulncheck.com/advisories/openkm-local-file-inclusion-via-admin-scripting