Ghostwire

CVE-2026-42425: OpenKM 6.3.12 contains an unrestricted SQL execution vulnerability that allows authenticated administrative users to...

HIGH CVSS 7.5

Published: May 26, 2026 | Last Modified: May 26, 2026

Description

OpenKM 6.3.12 contains an unrestricted SQL execution vulnerability that allows authenticated administrative users to execute arbitrary SQL statements against the application database via the DatabaseQuery interface. Attackers can submit malicious SQL queries through the qs parameter to the /admin/DatabaseQuery endpoint to extract sensitive data including usernames and password hashes from the OKM_USER table, modify permissions, or delete database records.

Ghostwire Analysis — What This Means Practically

High CVSS score indicates significant risk — exploitation could lead to substantial data exposure or system compromise.

This analysis is generated by Ghostwire from NVD, CISA KEV, EPSS, and open-source intelligence data. Verify findings through primary sources before acting.

CVE-2026-42425: OpenKM 6.3.12 contains an unrestricted SQL execution vulnerability that allows authenticated administrative users to...

Description

Ghostwire Analysis — What This Means Practically

Security Coverage (1 articles)

References