Attacker Impact
An affected OpenCms runtime can expose sensitive host information if the vulnerable CMIS servlet is deployed and reachable [S2]. FixVibe treats repository matches as patch-priority dependency evidence, not proof that the scanned application exposed local files or internal resources.
Root Cause
The advisory is tracked as CWE-611 in org.opencms:opencms-core versions before 10.5.1 [S1][S2]. The issue affects OpenCms XML-processing behavior in the vulnerable release range [S2].
Concrete Fixes
Upgrade org.opencms:opencms-core to 10.5.1 or newer, rebuild the OpenCms WAR, server installation, or container image that production actually runs, and redeploy the fixed artifact [S1][S2]. If the dependency is only inherited by a parent POM or dormant module, confirm whether it is part of the deployed runtime before closing the advisory.
FixVibe coverage
FixVibe GitHub repo scans now check Maven pom.xml dependencies for org.opencms:opencms-core versions before 10.5.1. A finding is reported as a version-based advisory with the file path, detected version or constraint, confidence, CVE/GHSA IDs, and fixed version. FixVibe does not send XML payloads or claim the affected servlet is deployed and reachable from this static evidence.