OpenKM Community Edition 6.3.12 is vulnerable to stored cross-site scripting (XSS) in the user account creation interface. The Name field accepts script tags and the Email field is vulnerable when the POST request is modified to include encoded script tags, by passing frontend validation.
CVSS Score
5.4
EPSS Score
0.0
Published
2025-11-05
Given a malicious document provided by an attacker, the OpenKM DMS is vulnerable to a stored (persistent, or "Type II") XSS condition.
CVSS Score
5.4
EPSS Score
0.002
Published
2023-02-07
If an attacker has access to the console for OpenKM (and is authenticated), a stored XSS vulnerability is reachable in the document "note" functionality.
CVSS Score
5.4
EPSS Score
0.002
Published
2023-02-07