Which versions of OpenKM are affected by CVE-2026-42785?

OpenKM document management systems (Community Edition ≤6.3.12, Professional Edition ≤7.1.47) contain a remote code execution vulnerability in the administrative scripting interface; publicly…

Is there a public PoC exploit available for CVE-2026-42785?

Yes, a public proof-of-concept exploit is available for CVE-2026-42785. Prioritise patching immediately. EPSS: 0.4%.

How to fix or mitigate CVE-2026-42785?

Within 24 hours: Identify all OpenKM Community Edition 6.3.12 and earlier, and Professional Edition 7.1.47 and earlier instances in your environment; restrict network access to the /admin/Scripting endpoint to dedicated administrative networks only; enable audit logging for all administrator activities. Within 7 days: Deploy Web Application Firewall or network filtering rules blocking requests to /admin/Scripting with action=Evaluate parameters; review and alert on all admin account access logs for suspicious scripting activity. Within 30 days: Monitor OpenKM security advisories for patch availability; develop and test an upgrade plan for Professional Edition deployments; evaluate Community Edition discontinuation if vendor patches are not released within 90 days.

OpenKM CVE-2026-42785

Q: What is the CVSS score of CVE-2026-42785?

CVE-2026-42785 has a CVSS 4.0 base score of 8.6 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.4%.

EUVD-2026-31835 HIGH

Code Injection (CWE-94)

2026-05-26 VulnCheck

GHSA-w8q9-g33h-9x9m

Code Injection Java RCE Openkm Community Edition Openkm Professional Edition

8.6

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

8.6 HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

High

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Jun 08, 2026 - 10:01 vuln.today

CVSS changed

May 26, 2026 - 15:22 NVD

7.2 (HIGH) 8.6 (HIGH)

DescriptionCVE.org

OpenKM 6.3.12 contains a remote code execution vulnerability that allows authenticated administrators to execute arbitrary Java/BeanShell code through the /admin/Scripting endpoint. Attackers can submit malicious script content with an action=Evaluate parameter to execute operating system commands in the context of the OpenKM application server.

AnalysisAI

Remote code execution in OpenKM Community Edition (≤6.3.12) and Professional Edition (≤7.1.47) allows authenticated administrators to execute arbitrary Java/BeanShell code via the /admin/Scripting endpoint using the action=Evaluate parameter. Publicly available exploit code exists (Exploit-DB 52520 and a Nuclei template from Terra System Labs), though no active exploitation has been confirmed in CISA KEV; EPSS sits at 0.42% (62th percentile), reflecting moderate-but-not-widespread interest.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon

Identify exposed OpenKM admin login

Delivery

Obtain admin credentials (reuse/phish/default)

Exploit

Authenticate to /admin/Scripting

Install

POST BeanShell payload with action=Evaluate

JVM executes arbitrary Java/OS commands

Execute

Establish reverse shell as app-server user

Impact

Exfiltrate documents and pivot internally

Recon

Identify exposed OpenKM admin login

Delivery

Obtain admin credentials (reuse/phish/default)

Exploit

Authenticate to /admin/Scripting

Install

POST BeanShell payload with action=Evaluate

JVM executes arbitrary Java/OS commands

Execute

Establish reverse shell as app-server user

Impact

Exfiltrate documents and pivot internally

Vulnerability AssessmentAI

Exploitation	Exploitation requires (1) network reachability to the OpenKM web interface, specifically the /admin/Scripting endpoint, and (2) valid credentials for an account in the OpenKM administrator role (CVSS PR:H) - there is no separate token, CSRF defence, or out-of-band approval gating the Evaluate action. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	CVSS 4.0 vector AV:N/AC:L/AT:N/PR:H/UI:N rates this 8.6 because exploitation is network-reachable with no user interaction and yields total confidentiality, integrity, and availability impact (VC:H/VI:H/VA:H), but the PR:H requirement - full administrator credentials - is the dominant limiting factor and aligns with SSVC's 'Automatable: no' classification. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker who has obtained OpenKM administrator credentials - through phishing, password reuse, an exposed default install, or credential stuffing against an internet-facing instance - sends an authenticated POST to /admin/Scripting with action=Evaluate and a BeanShell payload such as Runtime.getRuntime().exec("...") to spawn a reverse shell as the application server user. Because a working Exploit-DB module (52520) and a ready-to-run Nuclei template are publicly available, weaponization requires no original research; from initial shell the attacker can read or exfiltrate the entire document repository, tamper with stored files, and pivot into the underlying database or host network.
Remediation	No vendor-released patch identified at time of analysis - the provided references include the vendor site and third-party advisories but do not name a fixed Community or Professional Edition build, so operators should monitor https://www.openkm.com/ and the Terra System Labs and VulnCheck advisories for a patched release announcement. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all OpenKM Community Edition 6.3.12 and earlier, and Professional Edition 7.1.47 and earlier instances in your environment; restrict network access to the /admin/Scripting endpoint to dedicated administrative networks only; enable audit logging for all administrator activities. …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-28575 CRITICAL Act Now

10.0 Jun 17

Local denial of service in Android's PackageInstaller subsystem stems from a logic error in PackageInstallerSession.tran

CVE-2026-41699 CRITICAL Act Now

9.8 Jun 11

Remote code execution in Spring for GraphQL versions 1.3.0-1.3.8, 1.4.0-1.4.5, and 2.0.0-2.0.3 allows unauthenticated at

CVE-2026-47835 HIGH This Week

8.6 Jun 15

NoSQL/query injection in Spring AI Vector Stores (1.0.0-1.0.8 and 1.1.0-1.1.7) allows remote unauthenticated attackers t

CVE-2026-47825 HIGH This Week

8.6 Jun 15

Origin validation failure in Spring Cloud Gateway (WebMVC and WebFlux Server variants) allows remote attackers to spoof

CVE-2026-40999 HIGH This Week

8.6 Jun 11

Server-Side Request Forgery in Spring Web Services (versions 3.1.0-3.1.8, 4.0.0-4.0.18, 4.1.0-4.1.3, and 5.0.0-5.0.1) al

CVE-2026-42785 vulnerability details – vuln.today

Back