Skip to main content

Open XDMoD CVE-2026-45777

| EUVDEUVD-2026-34904 CRITICAL
OS Command Injection (CWE-78)
2026-06-05 security-advisories@github.com
9.3
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Patch available
Jun 05, 2026 - 22:01 EUVD
Source Code Evidence Fetched
Jun 05, 2026 - 20:31 vuln.today
Analysis Generated
Jun 05, 2026 - 20:31 vuln.today

DescriptionNVD

OpenXDMoD is an open framework for collecting and analyzing HPC metrics. Starting in version 9.5.0 and prior to version 11.0.3, an attacker can remotely execute arbitrary system commands on the web server hosting Open XDMoD with the privileges of the web server process. This could allow an attacker to read or modify application data, alter system configuration, or disrupt service availability. All deployments of Open XDMoD versions 9.5.0 through 11.0.2 (inclusive) are impacted. This issue was reported privately on 2026-04-06, and at this time there is no evidence that this vulnerability has been exploited in the wild. The vulnerability was patched in Open XDMoD 11.0.3 on 2026-05-12. As a workaround, apply the patch manually.

AnalysisAI

Remote unauthenticated command injection in Open XDMoD versions 9.5.0 through 11.0.2 allows attackers to execute arbitrary system commands on the web server with the privileges of the web server process. The flaw carries a CVSS 4.0 score of 9.3 and was privately reported on 2026-04-06; no public exploit identified at time of analysis, and there is no evidence of in-the-wild exploitation per the vendor advisory. A fix is available in Open XDMoD 11.0.3, released 2026-05-12.

Technical ContextAI

Open XDMoD is an open-source web framework developed by UBCCR for collecting and analyzing HPC (high-performance computing) metrics, typically deployed at academic and research institutions to monitor cluster usage. The vulnerability is classified as CWE-78 (Improper Neutralization of Special Elements used in an OS Command, i.e., OS Command Injection), meaning user-controllable input reaches a shell or process-execution sink without adequate sanitization. Because Open XDMoD is a PHP-based web application that wraps various HPC data-ingestion and reporting workflows, command injection here likely arises from a web-exposed component that passes parameters to underlying shell commands or system utilities running as the web server user (typically apache/www-data).

RemediationAI

Vendor-released patch: Open XDMoD 11.0.3 (released 2026-05-12, tag v11.0.3-2 at https://github.com/ubccr/xdmod/releases/tag/v11.0.3-2) - upgrade immediately as the primary fix. As a temporary workaround for sites that cannot upgrade the full release, the vendor provides a standalone patch file at https://open.xdmod.org/security_patches/GHSA-29qm-7w4v-43fw-9_5_0-11_0_2.patch that can be applied manually against 9.5.0-11.0.2 installations; see the advisory at https://github.com/ubccr/xdmod/security/advisories/GHSA-29qm-7w4v-43fw for details. Until either is applied, restrict network access to the XDMoD web interface (e.g., firewall the portal to trusted institutional VLANs or place it behind an authenticating reverse proxy/VPN) to reduce exposure, accepting the trade-off that legitimate remote users will lose direct access. Because the exact vulnerable endpoint is not disclosed in the input data, blanket access restriction is more reliable than attempting to block a specific URL path.

Share

CVE-2026-45777 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy