CVE-2026-28517

CRITICAL

disclosure@vulncheck.com

Details

CVSS v3: 9.8
CVSS v4: 9.3
NVD published: 2026-02-27 23:16:06
Affected versions: cpe:2.3:a:opendcim:opendcim:23.04:*:*:*:*:*:*:*
Summary: openDCIM version 23.04, through commit 4467e9c4, contains an OS command injection vulnerability in report_network_map.php. The application retrieves the 'dot' configuration parameter from the database and passes it directly to exec() without validation or sanitization. If an attacker can modify the fac_Config.dot value, arbitrary commands may be executed in the context of the web server process.
Remediation: Not available in our cache.
Exploit info: https://chocapikk.com/posts/2026/opendcim-sqli-to-rce/ https://github.com/Chocapikk/opendcim-exploit

TopVuln sends digest emails with high-risk CVE picks across multiple authoritative sources—curated with EPSS and AI. Choose daily per-stream emails and optional weekly or monthly roundups.

Subscribe — free email digest or paid plan

Information is aggregated from multiple authoritative sources for convenience; verify with NVD and vendors before operational decisions.