Skip to main content

OpenText Access Manager EUVDEUVD-2026-38791

| CVE-2026-11878 HIGH
Cross-site Scripting (XSS) (CWE-79)
2026-06-24 OpenText GHSA-rrp3-3f6h-33jr
8.2
CVSS 4.0 · Vendor: OpenText
Share

Severity by source

Vendor (OpenText) PRIMARY
8.2 HIGH
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
4.7 MEDIUM

Reflected XSS reachable over the network without auth (PR:N) but needing a victim to open crafted content (UI:R) and non-trivial preconditions (AC:H); script runs cross-context (S:C) with limited C/I impact.

3.1 AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N

Primary rating from Vendor (OpenText).

CVSS VectorVendor: OpenText

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

1
Analysis Generated
Jun 24, 2026 - 14:52 vuln.today

DescriptionCVE.org

Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in OpenText Access Manager allows Cross-Site Scripting (XSS).

This issue affects Access Manager: from 5.1 through 5.1.2.

AnalysisAI

Cross-site scripting in OpenText Access Manager 5.1 through 5.1.2 lets a remote unauthenticated attacker inject script that executes in the browser of a targeted user of this enterprise SSO/access-management platform (CWE-79). Per the vendor-supplied CVSS 4.0 vector the flaw carries high vulnerable-system confidentiality impact (VC:H) but high attack complexity and a specific attack requirement (AC:H/AT:P), yielding a base score of 8.2. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify reachable Access Manager web endpoint
Delivery
Craft request with malicious script payload
Exploit
Deliver crafted link to targeted user
Execution
Victim renders unsanitized page
Persist
Script executes in victim session
Impact
Exfiltrate session tokens / auth data

Vulnerability AssessmentAI

Exploitation Exploitation targets the web interface of OpenText Access Manager 5.1 through 5.1.2 and requires no attacker authentication (PR:N) and network reach (AV:N), but it is meaningfully limited: the vendor vector sets AC:H (high attack complexity) and AT:P (a specific attack requirement/precondition must hold), indicating the injection is not reliably triggerable against arbitrary default requests and likely depends on a particular request path, parameter, or product configuration. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Signals are mixed and warrant a measured priority. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a request or link containing a malicious script payload targeting a vulnerable Access Manager web page and lures or waits for a privileged user (such as an administrator or federated SSO user) to trigger it, given the AC:H/AT:P preconditions. When the page renders the unsanitized input, the script runs in the victim's session and can exfiltrate session tokens or authentication data (VC:H). …
Remediation Consult the OpenText/Micro Focus advisory at https://portal.microfocus.com/s/article/KM000047449 for the vendor-released fixed build and upgrade to the patched release for the 5.1 line (an exact fix version was not present in the available input and should be confirmed from that KB article before scheduling - do not assume a version number). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Verify deployment of OpenText Access Manager versions 5.1 through 5.1.2 in production environments and assess the scope of dependent applications. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2020-2555 CRITICAL POC
9.8 Jan 15

Vulnerability in the Oracle Coherence product of Oracle Fusion Middleware (component: Caching,CacheStore,Invocation). Ra

CVE-2018-10197 CRITICAL POC
9.8 Jul 11

There is a time-based blind SQL injection vulnerability in the Access Manager component before 9.18.040 and 10.x before

CVE-2018-2879 CRITICAL POC
9.0 Apr 19

Vulnerability in the Oracle Access Manager component of Oracle Fusion Middleware (subcomponent: Authentication Engine).

CVE-2014-5217 MEDIUM POC
6.8 Dec 23

Cross-site request forgery (CSRF) vulnerability in nps/servlet/webacc in the Administration Console server in NetIQ Acce

CVE-2014-5216 MEDIUM POC
4.3 Dec 23

Multiple cross-site scripting (XSS) vulnerabilities in NetIQ Access Manager (NAM) 4.x before 4.0.1 HF3 allow remote atta

CVE-2019-10219 MEDIUM POC
6.1 Nov 08

A vulnerability was found in Hibernate-Validator. Rated medium severity (CVSS 6.1), this vulnerability is remotely explo

CVE-2016-5757 CRITICAL
9.8 Mar 23

iManager Admin Console in NetIQ Access Manager 4.1 before 4.1.2 Hot Fix 1 and 4.2 before 4.2.2 was vulnerable to iFrame

CVE-2014-9412 MEDIUM POC
4.3 Dec 23

Multiple cross-site scripting (XSS) vulnerabilities in NetIQ Access Manager (NAM) 4.x before 4.1 allow remote attackers

CVE-2018-1342 CRITICAL
9.8 Jan 26

A Vulnerability exists on Admin Console where an attacker can upload files to the Admin Console server, and potentially

CVE-2018-2739 CRITICAL
9.3 Apr 19

Vulnerability in the Oracle Access Manager component of Oracle Fusion Middleware (subcomponent: Web Server Plugin). Rate

CVE-2016-5750 HIGH
8.8 Mar 23

The certificate upload feature in iManager in NetIQ Access Manager 4.1 before 4.1.2 Hot Fix 1 and 4.2 before 4.2.2 could

CVE-2016-5758 HIGH
8.8 Mar 23

A cross site request forgery protection mechanism in NetIQ Access Manager 4.1 before 4.1.2 Hot Fix 1 and 4.2 before 4.2.

Share

EUVD-2026-38791 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy