What is GHSA-hf34-4jm2-f8qq?

GHSA-hf34-4jm2-f8qq is a security advisory published by GitHub Security Advisories with Medium severity. OpenKM 6.3.12 contains a local file inclusion vulnerability in the administrative scripting...

Which CVE IDs does GHSA-hf34-4jm2-f8qq cover?

GHSA-hf34-4jm2-f8qq covers the following CVE IDs: CVE-2026-41917. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-hf34-4jm2-f8qq?

GHSA-hf34-4jm2-f8qq has a CVSS v3 base score of 4.9, published by GitHub Security Advisories.

GHSA-hf34-4jm2-f8qqMediumCVSS 4.9

OpenKM 6.3.12 contains a local file inclusion vulnerability in the administrative scripting...

Vendor

GitHub Security Advisories

Published

May 26, 2026

Last Modified

May 26, 2026

🔗 CVE IDs covered (1)

CVE-2026-41917 →

📋 Description

OpenKM 6.3.12 contains a local file inclusion vulnerability in the administrative scripting interface at /admin/Scripting that allows authenticated administrators to read arbitrary files by supplying an attacker-controlled filesystem path through the fsPath parameter with action=Load. Attackers can exploit this to access sensitive files including /etc/passwd, configuration files containing database credentials, and JVM keystores accessible to the OpenKM process.

🔗 References (9)

https://nvd.nist.gov/vuln/detail/CVE-2026-41917
https://github.com/terrasystemlabs/Exploits/tree/main/OpenKM-Exploits
https://github.com/terrasystemlabs/Exploits/tree/main/OpenKM-Exploits/nuclei-templates/openkm-local-file-execution
https://hub.docker.com/r/openkm/openkm-ce
https://terrasystemlabs.com/post?slug=openkm-zero-day-vulnerabilities-terra-system-labs
https://www.exploit-db.com/exploits/52520
https://www.openkm.com
https://www.vulncheck.com/advisories/openkm-local-file-inclusion-via-admin-scripting
https://github.com/advisories/GHSA-hf34-4jm2-f8qq