Skip to main content

openDCIM CVE-2026-28517

CRITICAL
OS Command Injection (CWE-78)
2026-02-27 disclosure@vulncheck.com
9.3
CVSS 4.0 · Vendor: vulncheck
Share

Severity by source

Vendor (vulncheck) PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from Vendor (vulncheck) · only source for this CVE.

CVSS VectorVendor: vulncheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

8
Source Code Evidence Fetched
May 12, 2026 - 01:27 vuln.today
Analysis Updated
May 12, 2026 - 01:27 vuln.today
v2 (cvss_changed)
Re-analysis Queued
May 12, 2026 - 01:22 vuln.today
cvss_changed
CVSS changed
May 12, 2026 - 01:22 NVD
9.8 (CRITICAL) 9.3 (CRITICAL)
Analysis Generated
Mar 12, 2026 - 21:55 vuln.today
PoC Detected
Mar 10, 2026 - 14:40 vuln.today
Public exploit code
Patch released
Mar 10, 2026 - 14:40 nvd
Patch available
CVE Published
Feb 27, 2026 - 23:16 nvd
CRITICAL 9.8

DescriptionCVE.org

openDCIM version 23.04, through commit 4467e9c4, contains an OS command injection vulnerability in report_network_map.php. The application retrieves the 'dot' configuration parameter from the database and passes it directly to exec() without validation or sanitation. If an attacker can modify the fac_Config.dot value, arbitrary commands may be executed in the context of the web server process.

AnalysisAI

Remote code execution in openDCIM 23.04 allows unauthenticated attackers to execute arbitrary OS commands as the web server user by poisoning the 'dot' configuration parameter in the database, then triggering execution via report_network_map.php. Public exploit code exists with a documented SQL injection to command injection attack chain. EPSS score of 0.57% (68th percentile) suggests moderate but not widespread exploitation probability, though the publicly available weaponized exploit significantly elevates real-world risk for exposed instances.

Technical ContextAI

openDCIM is a PHP-based data center infrastructure management application. The vulnerability exists in report_network_map.php which generates network topology graphs using the Graphviz 'dot' command-line utility. The application retrieves the dot executable path from the fac_Config database table and passes it directly to PHP's exec() function without validation (lines 7, 467 in commit 4467e9c4). This represents a classic CWE-78 OS Command Injection where externally-influenced input reaches a command execution sink. The affected CPE is cpe:2.3:a:opendcim:opendcim:23.04, indicating the vulnerability is present in version 23.04 through the referenced commit. The fix (PR #1664) implements three controls: escapeshellarg() wrapping of all exec() parameters, is_executable() validation of the dot command path, and parameterized SQL queries to prevent the initial database poisoning vector.

RemediationAI

Apply the vendor-released patch available via GitHub Pull Request #1664 at https://github.com/opendcim/openDCIM/pull/1664 (specific commit 8f7ab2a710086a9c8c269560793e47c577ddda09 at https://github.com/opendcim/openDCIM/pull/1664/changes/8f7ab2a710086a9c8c269560793e47c577ddda09). The patch implements three security controls: escapeshellarg() sanitization of all exec() parameters in report_network_map.php, is_executable() validation of the dot command path before execution, and parameterized SQL queries in config.inc.php to prevent the database poisoning vector. If immediate patching is not feasible, implement these compensating controls with noted trade-offs: (1) Restrict access to report_network_map.php to authenticated administrators only via web server access controls-this breaks unauthenticated report access if that feature is in use. (2) Set the fac_Config.dot database value to an absolute path and make the fac_Config table read-only to the web application database user-this prevents runtime configuration changes through the web interface. (3) Deploy web application firewall rules to block SQL injection attempts targeting fac_Config table-this adds latency and requires tuning to avoid false positives. (4) Run the web server process in a restricted container or chroot environment with no access to sensitive system utilities-this limits post-exploitation impact but may break legitimate Graphviz functionality if not configured correctly.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

CVE-2026-28517 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy