CVE-2026-42425 documents an unrestricted SQL execution vulnerability in OpenKM 6.3.12, published 2026-05-26. The flaw resides in the DatabaseQuery administrative interface, where authenticated administrative users can submit arbitrary SQL statements via the qs parameter to the /admin/DatabaseQuery endpoint. This enables extraction of sensitive data including usernames and password hashes from the OKM_USER [truncated]
OpenKM 6.3.12 contains a local file inclusion (LFI) vulnerability in the administrative scripting interface at /admin/Scripting. The vulnerability allows authenticated administrators to read arbitrary files by supplying an attacker-controlled filesystem path through the fsPath parameter with action=Load. This can be exploited to access sensitive files including /etc/passwd, configuration files containing [truncated]
