CVE-2025-57244

MEDIUM

Openkm - XSS

Title source: rule

Description

OpenKM Community Edition 6.3.12 is vulnerable to stored cross-site scripting (XSS) in the user account creation interface. The Name field accepts script tags and the Email field is vulnerable when the POST request is modified to include encoded script tags, by passing frontend validation.

References (2)

Core 2

Core References

Broken Link

https://github.com/wolffangsecurity/CVEs/blob/main/Stored%20XSS%20via%20Input%20Fields%20with%20Inconsistent%20Client-Side%20and%20Server-Side%20Validation%20Writeup.md

Exploit, Third Party Advisory

https://github.com/wolffangsecurity/CVEs/tree/main/CVE-2025-57244

View Exploit ZIP pw:eip

Scores

CVSS v3 5.4

EPSS 0.0003

EPSS Percentile 8.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-79

Status published

Products (1)

openkm/openkm 6.3.12

Published Nov 05, 2025

Tracked Since Feb 18, 2026