2026-02-19 08:39:46
INCIBE
PUBLISHED
Reflected Cross-site Scripting (XSS) in Alkacons OpenCms v18.0, which allows an attacker to execute JavaScript code in the victims browser by sending the victim a malicious URL containing the ‘q’ parameter in ‘/search/index.html’. This vulnerability can be exploited to steal sensitive user information such as session cookies, or to perform actions while impersonating the user.