Opentext
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in any Opentext product.
RSS Feeds for Opentext security vulnerabilities
Create a CVE RSS feed including security vulnerabilities found in Opentext products with stack.watch. Just hit watch, then grab your custom RSS feed url.
Products by Opentext Sorted by Most Security Vulnerabilities since 2018
By the Year
In 2026 there have been 16 vulnerabilities in Opentext. Last year, in 2025 Opentext had 7 security vulnerabilities published. That is, 9 more vulnerabilities have already been reported in 2026 as compared to last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 16 | 0.00 |
| 2025 | 7 | 0.00 |
| 2024 | 20 | 7.55 |
| 2023 | 10 | 8.43 |
| 2022 | 0 | 0.00 |
| 2021 | 37 | 7.37 |
| 2020 | 0 | 0.00 |
| 2019 | 2 | 6.10 |
| 2018 | 2 | 0.00 |
It may take a day or so for new Opentext vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Opentext Security Vulnerabilities
| CVE | Date | Vulnerability | Products |
|---|---|---|---|
| CVE-2024-11604 | Mar 27, 2026 |
OpenText IDM SCIM Driver 1.0.0.0-1.1.0.0 Log Insertion of Sensitive InfoInsertion of Sensitive Information into Log File vulnerability in the SCIM Driver module in OpenText IDM Driver and Extensions on Windows, Linux, 64 bit allows authenticated local users to obtain sensitive information via access to log files. This issue affects IDM SCIM Driver: 1.0.0.0000 through 1.0.1.0300 and 1.1.0.0000. |
|
| CVE-2025-13478 | Mar 27, 2026 |
OpenText IM 25.2 Cache Misconfig: Auth Users Read Others' Session DataCache misconfiguration vulnerability in OpenText Identity Manager on Windows, Linux allows remote authenticated users to obtain another user's session data via insecure application cache handling. This issue affects Identity Manager: 25.2(v4.10.1). |
|
| CVE-2026-3278 | Mar 18, 2026 |
OpenText ZENworks Service Desk 25.2-25.3 XSS Vulnerability (CVE-2026-3278)Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in OpenText ZENworks Service Desk allows Cross-Site Scripting (XSS). The vulnerability could allow an attacker to execute arbitrary JavaScript leading to unauthorized actions on behalf of the user.This issue affects ZENworks Service Desk: 25.2, 25.3. |
|
| CVE-2025-12453 | Mar 13, 2026 |
OpenText Vertica Reflected XSS in Management Console (v10-25.3)Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in OpenText Vertica allows Reflected XSS. The vulnerability could lead to Reflected XSS attack of cross-site scripting in Vertica management console application.This issue affects Vertica: from 10.0 through 10.X, from 11.0 through 11.X, from 12.0 through 12.X, from 23.0 through 23.X, from 24.0 through 24.X, from 25.1.0 through 25.1.X, from 25.2.0 through 25.2.X, from 25.3.0 through 25.3.X. |
|
| CVE-2025-12454 | Mar 13, 2026 |
OpenText Vertica XSS in Management Console before 25.1.0Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in OpenText Vertica allows Reflected XSS. The vulnerability could lead to Reflected XSS attack of cross-site scripting in Vertica management console application.This issue affects Vertica: from 10.0 through 10.X, from 11.0 through 11.X, from 12.0 through 12.X, from 23.0 through 23.X, from 24.0 through 24.X, from 25.1.0 through 25.1.X. |
|
| CVE-2025-12455 | Mar 13, 2026 |
Vertica 1012 Brute Force via Response Discrepancy in Management ConsoleObservable response discrepancy vulnerability in OpenText Vertica allows Password Brute Forcing. The vulnerability could lead to Password Brute Forcing in Vertica management console application.This issue affects Vertica: from 10.0 through 10.X, from 11.0 through 11.X, from 12.0 through 12.X. |
|
| CVE-2026-3266 | Mar 03, 2026 |
OpenText Filr <25.1.2 Missing Auth XSRF Token EvasionMissing Authorization vulnerability in OpenText Filr allows Authentication Bypass. The vulnerability could allow unauthenticated users to get XSRF token and do RPC with carefully crafted programs. This issue affects Filr: through 25.1.2. |
|
| CVE-2025-9120 | Feb 24, 2026 |
OpenText Carbonite Backup 6.8.3 Code Injection via Open Port (CVE-2025-9120)Improper Control of Generation of Code ('Code Injection') vulnerability in OpenText Carbonite Safe Server Backup allows Code Injection. The vulnerability could be exploited through an open port, potentially allowing unauthorized access. This issue affects Carbonite Safe Server Backup: through 6.8.3. |
|
| CVE-2026-1658 | Feb 19, 2026 |
OpenText Directory Services UI Misrepresentation & Cache Poisoning (20.4.1-25.2)User Interface (UI) Misrepresentation of Critical Information vulnerability in OpenText Directory Services allows Cache Poisoning. The vulnerability could be exploited by a bad actor to inject manipulated text into the OpenText application, potentially misleading users. This issue affects Directory Services: from 20.4.1 through 25.2. |
|
| CVE-2025-9208 | Feb 19, 2026 |
OpenText Web Site Management Server 16.7.X-16.8.1 Stored XSS via 'download' paramImproper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in OpenText Web Site Management Server allows Stored XSS. The vulnerability could execute malicious scripts on the client side when the download query parameter is removed from the file URL, allowing attackers to compromise user sessions and data. This issue affects Web Site Management Server: 16.7.X, 16.8, 16.8.1. |
|
| CVE-2025-13671 | Feb 19, 2026 |
CSRF Vulnerability in OpenText Web Site Mgmt Server 16.7.0-16.7.1Cross-Site Request Forgery (CSRF) vulnerability in OpenText Web Site Management Server allows Cross Site Request Forgery. The vulnerability could make a user, with active session inside the product, click on a page that contains this malicious HTML triggering to perform changes unconsciously. This issue affects Web Site Management Server: 16.7.0, 16.7.1. |
|
| CVE-2025-13672 | Feb 19, 2026 |
OpenText Web Site Management Server 16.7.0/1 XSS via Reflected URLImproper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in OpenText Web Site Management Server allows Reflected XSS. The vulnerability could allow injecting malicious JavaScript inside URL parameters that was then rendered with the preview of the page, so that malicious scripts could be executed on the client side. This issue affects Web Site Management Server: 16.7.0, 16.7.1. |
|
| CVE-2025-8054 | Feb 19, 2026 |
OpenText XM Fax 24.2 Path Traversal (CVE-2025-8054) - File DisclosureImproper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in OpenText XM Fax allows Path Traversal. The vulnerability could allow an attacker to arbitrarily disclose content of files on the local filesystem. This issue affects XM Fax: 24.2. |
|
| CVE-2025-8055 | Feb 19, 2026 |
OpenText XM Fax SSRF 24.2 (CVE-2025-8055)Server-Side Request Forgery (SSRF) vulnerability in OpenText XM Fax allows Server Side Request Forgery. The vulnerability could allow an attacker to perform blind SSRF to other systems accessible from the XM Fax server. This issue affects XM Fax: 24.2. |
|
| CVE-2025-15579 | Feb 18, 2026 |
OpenText Directory Services <26.1.2 CVE-2025-15579 Deserial Obj InjectDeserialization of Untrusted Data vulnerability in OpenText Directory Services allows Object Injection. The vulnerability could lead to remote code execution, denial of service, or privilege escalation. This issue affects Directory Services: before 24.4.16, from 25.1 before 25.1.9, from 25.2 before 25.2.9, from 25.3 before 25.3.8, from 25.4 before 25.4.5, from 26.1 before 26.1.2. |
|
| CVE-2024-9432 | Jan 30, 2026 |
Cleartext Storage of Sensitive Data in OpenText Vertica (CVE-2024-9432)Cleartext Storage of Sensitive Information vulnerability in OpenText Vertica allows Retrieve Embedded Sensitive Data. The vulnerability could read Vertica agent plaintext apikey.This issue affects Vertica versions: 23.X, 24.X, 25.X. |
|
| CVE-2025-11884 | Nov 19, 2025 |
Stored XSS in OpenText uCMDB 24.4 - High Level Access ExploitImproper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in opentext uCMDB allows Stored XSS. The vulnerability could allow an attacker has high level access to UCMDB to create or update data with malicious scripts This issue affects uCMDB: 24.4. |
|
| CVE-2025-8050 | Oct 21, 2025 |
CVE-2025-8050: Path Traversal in Opentext Flipper 3.1.2External Control of File Name or Path vulnerability in opentext Flipper allows Path Traversal. The vulnerability could allow a user to access files hosted on the server. This issue affects Flipper: 3.1.2. |
Flipper
|
| CVE-2025-8052 | Oct 20, 2025 |
OpenText Flipper 3.1.2 HQL SQLi VulnerabilitySQL Injection vulnerability in opentext Flipper allows SQL Injection. The vulnerability could allow a low privilege user to interact with the database in unintended ways and extract data by interacting with the HQL processor. This issue affects Flipper: 3.1.2. |
Flipper
|
| CVE-2025-8048 | Oct 20, 2025 |
External Control File Name/Path in Flipper 3.1.2 (Path Traversal)External Control of File Name or Path vulnerability in opentext Flipper allows Path Traversal. The vulnerability could allow a user to submit a stored local file path and then download the specified file from the system by requesting the stored document ID. This issue affects Flipper: 3.1.2. |
|
| CVE-2025-8049 | Oct 20, 2025 |
OpenText Flipper 3.1.2: ACL Granularity Enables Privilege ElevationInsufficient Granularity of Access Control vulnerability in opentext Flipper allows Exploiting Incorrectly Configured Access Control Security Levels. The vulnerability could allow a low-privilege user to elevate privileges within the application. This issue affects Flipper: 3.1.2. |
|
| CVE-2025-8051 | Oct 20, 2025 |
Absolute Path Traversal in OpenText Flipper 3.1.2Path Traversal vulnerability in opentext Flipper allows Absolute Path Traversal. The vulnerability could allow a user to access files hosted on the server. This issue affects Flipper: 3.1.2. |
Flipper
|
| CVE-2025-8053 | Oct 20, 2025 |
OpenText Flipper 3.1.2 Access Control Granularity Flaw Low Privilege EscalationInsufficient Granularity of Access Control vulnerability in opentext Flipper allows Exploiting Incorrectly Configured Access Control Security Levels. The vulnerability could allow a low privilege user to interact with the backend API without sufficient privileges. This issue affects Flipper: 3.1.2. |
|
| CVE-2024-12111 | Dec 19, 2024 |
OpenText Privileged Access Manager LDAP Authentication Bypass VulnerabilityIn a specific scenario a LDAP user can abuse the authentication process using injection attack in OpenText Privileged Access Manager that allows authentication bypass. This issue affects Privileged Access Manager version 23.3(4.4); 24.3(4.5) |
|
| CVE-2024-9841 | Nov 08, 2024 |
OpenText ArcSight XSS Vulnerability - November 2024A Reflected Cross-Site Scripting (XSS) vulnerability has been identified in OpenText ArcSight Management Center and ArcSight Platform. The vulnerability could be remotely exploited. |
Arcsight Intelligence
|
| CVE-2021-22518 | Sep 12, 2024 |
OpenText IM AzureAD Driver <=5.1.3.9 Sensitive Data Log VulnerabilityA vulnerability identified in OpenText Identity Manager AzureAD Driver that allows logging of sensitive information into log file. This impacts all versions before 5.1.4.0 |
Identity Manager Azuread Driver
|
| CVE-2021-22509 | Aug 28, 2024 |
NetIQ Advance Authentication <=6.3.5.0 Sensitive Data Leakage via Stored Auth InfoA vulnerability identified in storing and reusing information in Advance Authentication. This issue can lead to leakage of sensitive data to unauthorized user. The issue affects NetIQ Advance Authentication before 6.3.5.1 |
Netiq Advance Authentication
|
| CVE-2021-38122 | Aug 28, 2024 |
CVE-2021-38122: XSS in NetIQ Advance Auth Before 6.3.5.1A Cross-Site Scripting vulnerable identified in NetIQ Advance Authentication that impacts the server functionality and disclose sensitive information. This issue affects NetIQ Advance Authentication before 6.3.5.1 |
Netiq Advance Authentication
|
| CVE-2021-38121 | Aug 28, 2024 |
NetIQ Advance Authentication <6.3.5.1 Weak TLS ProtocolInsufficient or weak TLS protocol version identified in Advance authentication client server communication when specific service is accessed between devices. This issue affects NetIQ Advance Authentication versions before 6.3.5.1 |
Netiq Advance Authentication
|
| CVE-2021-22529 | Aug 28, 2024 |
NetIQ AA Info Leak before v6.3.5.1A vulnerability identified in NetIQ Advance Authentication that leaks sensitive server information. This issue affects NetIQ Advance Authentication version before 6.3.5.1 |
Netiq Advance Authentication
|
| CVE-2023-7260 | Aug 22, 2024 |
OpenText CX-E Voice <22.4 Path Traversal Read Arbitrary FilesPath Traversal vulnerability discovered in OpenText CX-E Voice, affecting all version through 22.4. The vulnerability could allow arbitrarily access files on the system. |
Cx E Voice
|
| CVE-2023-7249 | Aug 12, 2024 |
OpenText Directory Services Path Traversal CVE-2023-7249 in 16.4.224.1Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in OpenText OpenText Directory Services allows Path Traversal.This issue affects OpenText Directory Services: from 16.4.2 before 24.1. |
Directory Services
|
| CVE-2024-6357 | Aug 06, 2024 |
OpenText ArcSight Intelligence IDOR vulnerabilityInsecure Direct Object Reference vulnerability identified in OpenText ArcSight Intelligence. |
Arcsight Intelligence
|
| CVE-2024-6359 | Aug 06, 2024 |
Privilege Escalation in OpenText ArcSight IntelligencePrivilege escalation vulnerability identified in OpenText ArcSight Intelligence. |
Arcsight Intelligence
|
| CVE-2024-6358 | Aug 06, 2024 |
OpenText ArcSight Intelligence Incorrect Auth Vulnerability CVE-2024-6358Incorrect Authorization vulnerability identified in OpenText ArcSight Intelligence. |
Arcsight Intelligence
|
| CVE-2024-6361 | Aug 05, 2024 |
OpenText ALM Octane XSS: Improper Neutralization (before 23.4) Enables RCEImproper Neutralization vulnerability (XSS) has been discovered in OpenText ALM Octane. The vulnerability affects all version prior to version 23.4. The vulnerability could cause remote code execution attack. |
Alm Octane
|
| CVE-2024-4187 | Jul 31, 2024 |
Stored XSS in OpenText Filr 24.1.x/24.2Stored XSS vulnerability has been discovered in OpenText Filr product, affecting versions 24.1.1 and 24.2. The vulnerability could cause users to not be warned when clicking links to external sites. |
Filr
|
| CVE-2023-7248 | Mar 15, 2024 |
CVE-2023-7248: Auth Bypass in OpenText Vertica Management Console <=12.0.4-18Certain functionality in OpenText Vertica Management console might be prone to bypass via crafted requests. The vulnerability would affect one of Verticas authentication functionalities by allowing specially crafted requests and sequences. This issue impacts the following Vertica Management Console versions: 10.x 11.1.1-24 or lower 12.0.4-18 or lower Please upgrade to one of the following Vertica Management Console versions: 10.x to upgrade to latest versions from below. 11.1.1-25 12.0.4-19 23.x 24.x |
Vertica
|
| CVE-2020-11862 | Mar 13, 2024 |
NetIQ PAM Resource Exhaustion (Flooding) before 3.7.0.2Allocation of Resources Without Limits or Throttling vulnerability in OpenText NetIQ Privileged Account Manager on Linux, Windows, 64 bit allows Flooding.This issue affects NetIQ Privileged Account Manager: before 3.7.0.2. |
Netiq Privileged Account Manager
|
| CVE-2023-38534 | Mar 13, 2024 |
OpenText Exceed Turbo X 12.5.x Improper Auth via RPCImproper authentication vulnerability in OpenText Exceed Turbo X affecting versions 12.5.0 and 12.5.1. The vulnerability could allow disclosure of restricted information in unauthenticated RPC. |
Exceed Turbox
|
| CVE-2023-38535 | Mar 13, 2024 |
Hard-Coded Key Vulnerability in OpenText Exceed Turbo X 12.5.1-12.5.2Use of Hard-coded Cryptographic Key vulnerability in OpenText Exceed Turbo X affecting versions 12.5.1 and 12.5.2. The vulnerability could compromise the cryptographic keys. |
Exceed Turbox
|
| CVE-2023-38536 | Mar 13, 2024 |
OpenText Exceed Turbo X 12.5.1 XSS via HTML InjectionHTML injection in OpenText Exceed Turbo X affecting version 12.5.1. The vulnerability could result in Cross site scripting. |
Exceed Turbox
|
| CVE-2023-6123 | Feb 15, 2024 |
OpenText ALM Octane 16.2.100 RCE via Improper NeutralizationImproper Neutralization vulnerability affects OpenText ALM Octane version 16.2.100 and above. The vulnerability could result in a remote code execution attack. |
Alm Octane
|
| CVE-2022-41221 | May 24, 2023 |
OpenText Archive Center Administration XXE via XML: < 21.2The client in OpenText Archive Center Administration through 21.2 allows XXE attacks. Authenticated users of the OpenText Archive Center Administration client (Versions 16.2.3, 21.2, and older versions) could upload XML files to the application that it did not sufficiently validate. As a result, attackers could craft XML files that, when processed by the application, would cause a negative security impact such as data exfiltration or localized denial of service against the application instance and system of the user running it. |
Archive Center Administration
|
| CVE-2023-31871 | May 18, 2023 |
OpenText Documentum v<23.2 Privilege Escalation via SUID dm_secure_writerOpenText Documentum Content Server before 23.2 has a flaw that allows for privilege escalation from a non-privileged Documentum user to root. The software comes prepackaged with a root owned SUID binary dm_secure_writer. The binary has security controls in place preventing creation of a file in a non-owned directory, or as the root user. However, these controls can be carefully bypassed to allow for an arbitrary file write as root. |
Documentum Content Server
|
| CVE-2022-35898 | May 01, 2023 |
OpenText BizManager <16.6.0.1 Password Change Auth BypassOpenText BizManager before 16.6.0.1 does not perform proper validation during the change-password operation. This allows any authenticated user to change the password of any other user, including the Administrator account. |
Bizmanager
|
| CVE-2022-45923 | Jan 18, 2023 |
OpenText Content Suite 22.1 (16.2.19.1803) cs.exe Exploitable Memory ManipulationAn issue was discovered in OpenText Content Suite Platform 22.1 (16.2.19.1803). The Common Gateway Interface (CGI) program cs.exe allows an attacker to increase/decrease an arbitrary memory address by 1 and trigger a call to a method of a vftable with a vftable pointer value chosen by the attacker. |
Opentext Extended Ecm
|
| CVE-2022-45927 | Jan 18, 2023 |
OpenText Content Suite Platform 22.1: QDS Auth Bypass via Java App ServerAn issue was discovered in OpenText Content Suite Platform 22.1 (16.2.19.1803). The Java application server can be used to bypass the authentication of the QDS endpoints of the Content Server. These endpoints can be used to create objects and execute arbitrary code. |
Opentext Extended Ecm
|
| CVE-2022-45922 | Jan 18, 2023 |
OpenText Content Suite 22.1 AdminPwd Cookie Bypass via KeepAliveSessionAn issue was discovered in OpenText Content Suite Platform 22.1 (16.2.19.1803). The request handler for ll.KeepAliveSession sets a valid AdminPwd cookie even when the Web Admin password was not entered. This allows access to endpoints, which require a valid AdminPwd cookie, without knowing the password. |
Opentext Extended Ecm
|
| CVE-2022-45924 | Jan 18, 2023 |
OpenText Content Suite 22.1: Low-Priv File Delete itemtemplate.createtemplate2An issue was discovered in OpenText Content Suite Platform 22.1 (16.2.19.1803). The endpoint itemtemplate.createtemplate2 allows a low-privilege user to delete arbitrary files on the server's local filesystem. |
Opentext Extended Ecm
|