CVE-2019-13236
MEDIUMAlkacon OpenCms 10.5.4-10.5.5 - Reflected and Stored Cross-Site Scripting in Management Interface
Title source: llmExploitation Summary
EIP tracks 1 public exploit for CVE-2019-13236. PoCs published by Aetsu.
AI-analyzed exploit summary This exploit demonstrates multiple stored and reflected XSS vulnerabilities in Alkacon OpenCMS 10.5.x. The PoC includes HTTP requests with malicious payloads targeting various administrative endpoints.
Description
In system/workplace/ in Alkacon OpenCms 10.5.4 and 10.5.5, there are multiple Reflected and Stored XSS issues in the management interface.
Exploits (1)
exploitdb
WORKING POC
by Aetsu · textwebappsmultiple
https://www.exploit-db.com/exploits/47339
This exploit demonstrates multiple stored and reflected XSS vulnerabilities in Alkacon OpenCMS 10.5.x. The PoC includes HTTP requests with malicious payloads targeting various administrative endpoints.
Classification
Working Poc 100%
Attack Type
Xss
Complexity
Trivial
Reliability
Reliable
Target:
Alkacon OpenCMS 10.5.x
Auth required
Prerequisites:
Access to administrative interfaces · Valid session or authentication
MITRE ATT&CK
devstral-2 · analyzed Feb 16, 2026
Full analysis →
References (4)
Core 4
Core References
Patch x_refsource_misc
https://github.com/alkacon/opencms-core/commits/branch_10_5_x
Third Party Advisory x_refsource_misc
https://twitter.com/aetsu/status/1152096227938459648
Exploit, Third Party Advisory x_refsource_misc
https://aetsu.github.io/OpenCms
Exploit, Third Party Advisory x_refsource_misc
http://packetstormsecurity.com/files/154283/Alkacon-OpenCMS-10.5.x-Cross-Site-Scripting.html
Scores
CVSS v3
6.1
EPSS
0.0353
EPSS Percentile
88.0%
Attack Vector
NETWORK
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Details
CWE
CWE-79
Status
published
Products (3)
alkacon/opencms
10.5.4
alkacon/opencms
10.5.5
org.opencms/opencms-core
0 - 11.0.1Maven
Published
Aug 27, 2019
Tracked Since
Feb 18, 2026