CVE-2026-42425 HIGH

CVE-2026-42425: OpenKM 6.3.12 Unrestricted SQL Execution via DatabaseQuery

Vendor Openkm
Product OpenKM Community Edition
Weakness CWE-89 · SQLi
Published May 26, 2026
Last update May 26, 2026

CVSS base score

8.6/10
Attack vector Network
Attack complexity Low
Privileges required High
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

OpenKM 6.3.12 contains an unrestricted SQL execution vulnerability that allows authenticated administrative users to execute arbitrary SQL statements against the application database via the DatabaseQuery interface. Attackers can submit malicious SQL queries through the qs parameter to the /admin/DatabaseQuery endpoint to extract sensitive data including usernames and password hashes from the OKM_USER table, modify permissions, or delete database records.

Key dates

02Disclosure timeline

May 26, 2026 CVE published
May 26, 2026 Record updated