Open Xdmod
Monthly
SQL injection in Open XDMoD versions prior to 10.0.3 allows remote unauthenticated attackers to execute arbitrary SQL statements against the underlying database of this HPC metrics framework. The flaw requires no authentication or user interaction (CVSS 4.0 score 9.3) and can result in full database compromise. No public exploit identified at time of analysis and no evidence of in-the-wild exploitation per the vendor advisory.
Stored-to-reflected cross-site scripting in Open XDMoD prior to 11.0.3 allows an authenticated attacker to inject JavaScript into their own user profile and then abuse the built-in password reset workflow to deliver the payload to a victim, executing in the victim's browser and enabling credential theft or full account takeover. The flaw is patched in Open XDMoD 11.0.3 (released 2026-05-12) and there is no public exploit identified at time of analysis; the vendor states no evidence of in-the-wild exploitation.
Remote unauthenticated command injection in Open XDMoD versions 9.5.0 through 11.0.2 allows attackers to execute arbitrary system commands on the web server with the privileges of the web server process. The flaw carries a CVSS 4.0 score of 9.3 and was privately reported on 2026-04-06; no public exploit identified at time of analysis, and there is no evidence of in-the-wild exploitation per the vendor advisory. A fix is available in Open XDMoD 11.0.3, released 2026-05-12.
An issue was discovered in Open XDMoD through 7.5.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.
SQL injection in Open XDMoD versions prior to 10.0.3 allows remote unauthenticated attackers to execute arbitrary SQL statements against the underlying database of this HPC metrics framework. The flaw requires no authentication or user interaction (CVSS 4.0 score 9.3) and can result in full database compromise. No public exploit identified at time of analysis and no evidence of in-the-wild exploitation per the vendor advisory.
Stored-to-reflected cross-site scripting in Open XDMoD prior to 11.0.3 allows an authenticated attacker to inject JavaScript into their own user profile and then abuse the built-in password reset workflow to deliver the payload to a victim, executing in the victim's browser and enabling credential theft or full account takeover. The flaw is patched in Open XDMoD 11.0.3 (released 2026-05-12) and there is no public exploit identified at time of analysis; the vendor states no evidence of in-the-wild exploitation.
Remote unauthenticated command injection in Open XDMoD versions 9.5.0 through 11.0.2 allows attackers to execute arbitrary system commands on the web server with the privileges of the web server process. The flaw carries a CVSS 4.0 score of 9.3 and was privately reported on 2026-04-06; no public exploit identified at time of analysis, and there is no evidence of in-the-wild exploitation per the vendor advisory. A fix is available in Open XDMoD 11.0.3, released 2026-05-12.
An issue was discovered in Open XDMoD through 7.5.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.