Which versions of openDCIM are affected by CVE-2026-28517?

openDCIM 23.04 contains a critical remote code execution vulnerability allowing unauthenticated attackers to execute arbitrary commands on the web server, exploitable through database parameter…. A patch is available.

Is there a public PoC exploit available for CVE-2026-28517?

Yes, a public proof-of-concept exploit is available for CVE-2026-28517. Prioritise patching immediately. EPSS: 0.6%.

How to fix or mitigate CVE-2026-28517?

Within 24 hours: Identify all openDCIM 23.04 instances in your environment and isolate them from untrusted networks or disable external access. Within 7 days: Apply the vendor-released patch to upgrade openDCIM to version 23.05 or later. Within 30 days: Conduct forensic review of openDCIM server logs, database audit trails, and system command histories for indicators of exploitation or unauthorized access dating back to deployment.

openDCIM CVE-2026-28517

Q: What is the CVSS score of CVE-2026-28517?

CVE-2026-28517 has a CVSS 4.0 base score of 9.3 (Critical). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.6%.

CRITICAL

OS Command Injection (CWE-78)

2026-02-27 disclosure@vulncheck.com

PHP Command Injection

9.3

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Source Code Evidence Fetched

May 12, 2026 - 01:27 vuln.today

Analysis Updated

May 12, 2026 - 01:27 vuln.today

v2 (cvss_changed)

Re-analysis Queued

May 12, 2026 - 01:22 vuln.today

cvss_changed

CVSS changed

May 12, 2026 - 01:22 NVD

9.8 (CRITICAL) 9.3 (CRITICAL)

Analysis Generated

Mar 12, 2026 - 21:55 vuln.today

PoC Detected

Mar 10, 2026 - 14:40 vuln.today

Public exploit code

Patch released

Mar 10, 2026 - 14:40 nvd

Patch available

CVE Published

Feb 27, 2026 - 23:16 nvd

CRITICAL 9.8

DescriptionNVD

openDCIM version 23.04, through commit 4467e9c4, contains an OS command injection vulnerability in report_network_map.php. The application retrieves the 'dot' configuration parameter from the database and passes it directly to exec() without validation or sanitation. If an attacker can modify the fac_Config.dot value, arbitrary commands may be executed in the context of the web server process.

AnalysisAI

Remote code execution in openDCIM 23.04 allows unauthenticated attackers to execute arbitrary OS commands as the web server user by poisoning the 'dot' configuration parameter in the database, then triggering execution via report_network_map.php. Public exploit code exists with a documented SQL injection to command injection attack chain. …

RemediationAI

Within 24 hours: Identify all openDCIM 23.04 instances in your environment and isolate them from untrusted networks or disable external access. Within 7 days: Apply the vendor-released patch to upgrade openDCIM to version 23.05 or later. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-28517 vulnerability details – vuln.today

Back

openDCIM CVE-2026-28517

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

openDCIM CVE-2026-28517

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code