CVE-2006-3933: Alkacon OpenCms XSS via unsanitized message body

May 1, 2022 (updated October 31, 2025)

Cross-site scripting (XSS) vulnerability in Alkacon OpenCms before 6.2.2 allows remote authenticated users to inject arbitrary web script or HTML via the message body.

References

exchange.xforce.ibmcloud.com/vulnerabilities/28033
github.com/advisories/GHSA-gj9c-69cm-7c37
github.com/alkacon/opencms-core
github.com/alkacon/opencms-core/commit/e2d3754ef27e8e8e122700bdb3f59e6e15995bae
nvd.nist.gov/vuln/detail/CVE-2006-3933

Code Behaviors & Features

Detect and mitigate CVE-2006-3933 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →