{"id":"CVE-2022-2131","details":"OpenKM Community Edition in its 6.3.10 version and before was using XMLReader parser in XMLTextExtractor.java file without the required security flags, allowing an attacker to perform a XML external entity injection attack.","modified":"2026-04-12T05:17:10.193759Z","published":"2022-07-25T15:15:09.463Z","references":[{"type":"ADVISORY","url":"https://www.incibe-cert.es/en/early-warning/security-advisories/openkm-xxe-injection"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/openkm/document-management-system","events":[{"introduced":"0"},{"last_affected":"1aaa1f2cade7115a4553e51917b70269a426f9f5"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"last_affected":"6.3.10"}],"cpe":"cpe:2.3:a:openkm:openkm:*:*:*:*:community:*:*:*","source":"CPE_FIELD"}}],"versions":["none","v6.3.10","v6.3.3","v6.3.5","v6.3.6","v6.3.7","v6.3.8","v6.3.9"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2022-2131.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}