Export CSV

Products

1 vendor
VendorProductsCVEsKEVAvg EPSSWorst Severity
13070.8%CRITICAL

Related CVEs

3
CVE IDDescriptionSeverityCVSSKEVEPSSPublished
CVE-2026-28517openDCIM version 23.04, through commit 4467e9c4, contains an OS command injection vulnerability in report_network_map.php. The application retrieves the 'dot' configuration parameter from the database and passes it directly to exec() without validation or sanitization. If an attacker can modify the fac_Config.dot value, arbitrary commands may be executed in the context of the web server process.CRITICAL9.392.0%Feb 27, 2026
CVE-2026-28516openDCIM version 23.04, through commit 4467e9c4, contains a SQL injection vulnerability in Config::UpdateParameter. The install.php and container-install.php handlers pass user-supplied input directly into SQL statements using string interpolation without prepared statements or proper input sanitation. An authenticated user can execute arbitrary SQL statements against the underlying database.CRITICAL9.357.5%Feb 27, 2026
CVE-2026-28515openDCIM version 23.04, through commit 4467e9c4, contains a missing authorization vulnerability in install.php and container-install.php. The installer and upgrade handler expose LDAP configuration functionality without enforcing application role checks. Any authenticated user can access this functionality regardless of assigned privileges. In deployments where REMOTE_USER is set without authentication enforcement, the endpoint may be accessible without credentials. This allows unauthorized modification of application configuration.CRITICAL9.363.1%Feb 27, 2026