Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionNVD
OpenXDMoD is an open framework for collecting and analyzing HPC metrics. Starting in version 9.5.0 and prior to version 11.0.3, an attacker can remotely execute arbitrary system commands on the web server hosting Open XDMoD with the privileges of the web server process. This could allow an attacker to read or modify application data, alter system configuration, or disrupt service availability. All deployments of Open XDMoD versions 9.5.0 through 11.0.2 (inclusive) are impacted. This issue was reported privately on 2026-04-06, and at this time there is no evidence that this vulnerability has been exploited in the wild. The vulnerability was patched in Open XDMoD 11.0.3 on 2026-05-12. As a workaround, apply the patch manually.
AnalysisAI
Remote unauthenticated command injection in Open XDMoD versions 9.5.0 through 11.0.2 allows attackers to execute arbitrary system commands on the web server with the privileges of the web server process. The flaw carries a CVSS 4.0 score of 9.3 and was privately reported on 2026-04-06; no public exploit identified at time of analysis, and there is no evidence of in-the-wild exploitation per the vendor advisory. A fix is available in Open XDMoD 11.0.3, released 2026-05-12.
Technical ContextAI
Open XDMoD is an open-source web framework developed by UBCCR for collecting and analyzing HPC (high-performance computing) metrics, typically deployed at academic and research institutions to monitor cluster usage. The vulnerability is classified as CWE-78 (Improper Neutralization of Special Elements used in an OS Command, i.e., OS Command Injection), meaning user-controllable input reaches a shell or process-execution sink without adequate sanitization. Because Open XDMoD is a PHP-based web application that wraps various HPC data-ingestion and reporting workflows, command injection here likely arises from a web-exposed component that passes parameters to underlying shell commands or system utilities running as the web server user (typically apache/www-data).
RemediationAI
Vendor-released patch: Open XDMoD 11.0.3 (released 2026-05-12, tag v11.0.3-2 at https://github.com/ubccr/xdmod/releases/tag/v11.0.3-2) - upgrade immediately as the primary fix. As a temporary workaround for sites that cannot upgrade the full release, the vendor provides a standalone patch file at https://open.xdmod.org/security_patches/GHSA-29qm-7w4v-43fw-9_5_0-11_0_2.patch that can be applied manually against 9.5.0-11.0.2 installations; see the advisory at https://github.com/ubccr/xdmod/security/advisories/GHSA-29qm-7w4v-43fw for details. Until either is applied, restrict network access to the XDMoD web interface (e.g., firewall the portal to trusted institutional VLANs or place it behind an authenticating reverse proxy/VPN) to reduce exposure, accepting the trade-off that legitimate remote users will lose direct access. Because the exact vulnerable endpoint is not disclosed in the input data, blanket access restriction is more reliable than attempting to block a specific URL path.
More in Open Xdmod
View allAn issue was discovered in Open XDMoD through 7.5.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely
SQL injection in Open XDMoD versions prior to 10.0.3 allows remote unauthenticated attackers to execute arbitrary SQL st
Stored-to-reflected cross-site scripting in Open XDMoD prior to 11.0.3 allows an authenticated attacker to inject JavaSc
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34904