Skip to main content

Open Xdmod

4 CVEs product

Monthly

CVE-2026-45779 CRITICAL PATCH Act Now

SQL injection in Open XDMoD versions prior to 10.0.3 allows remote unauthenticated attackers to execute arbitrary SQL statements against the underlying database of this HPC metrics framework. The flaw requires no authentication or user interaction (CVSS 4.0 score 9.3) and can result in full database compromise. No public exploit identified at time of analysis and no evidence of in-the-wild exploitation per the vendor advisory.

SQLi Open Xdmod
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.9%
CVE-2026-45778 HIGH PATCH This Week

Stored-to-reflected cross-site scripting in Open XDMoD prior to 11.0.3 allows an authenticated attacker to inject JavaScript into their own user profile and then abuse the built-in password reset workflow to deliver the payload to a victim, executing in the victim's browser and enabling credential theft or full account takeover. The flaw is patched in Open XDMoD 11.0.3 (released 2026-05-12) and there is no public exploit identified at time of analysis; the vendor states no evidence of in-the-wild exploitation.

XSS Open Xdmod
NVD GitHub VulDB
CVSS 4.0
8.6
EPSS
0.0%
CVE-2026-45777 CRITICAL PATCH Act Now

Remote unauthenticated command injection in Open XDMoD versions 9.5.0 through 11.0.2 allows attackers to execute arbitrary system commands on the web server with the privileges of the web server process. The flaw carries a CVSS 4.0 score of 9.3 and was privately reported on 2026-04-06; no public exploit identified at time of analysis, and there is no evidence of in-the-wild exploitation per the vendor advisory. A fix is available in Open XDMoD 11.0.3, released 2026-05-12.

Command Injection Open Xdmod
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.0%
CVE-2018-16988 CRITICAL Act Now

An issue was discovered in Open XDMoD through 7.5.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP Authentication Bypass Open Xdmod
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.3%
EPSS 1% CVSS 9.3
CRITICAL PATCH Act Now

SQL injection in Open XDMoD versions prior to 10.0.3 allows remote unauthenticated attackers to execute arbitrary SQL statements against the underlying database of this HPC metrics framework. The flaw requires no authentication or user interaction (CVSS 4.0 score 9.3) and can result in full database compromise. No public exploit identified at time of analysis and no evidence of in-the-wild exploitation per the vendor advisory.

SQLi Open Xdmod
NVD GitHub VulDB
EPSS 0% CVSS 8.6
HIGH PATCH This Week

Stored-to-reflected cross-site scripting in Open XDMoD prior to 11.0.3 allows an authenticated attacker to inject JavaScript into their own user profile and then abuse the built-in password reset workflow to deliver the payload to a victim, executing in the victim's browser and enabling credential theft or full account takeover. The flaw is patched in Open XDMoD 11.0.3 (released 2026-05-12) and there is no public exploit identified at time of analysis; the vendor states no evidence of in-the-wild exploitation.

XSS Open Xdmod
NVD GitHub VulDB
EPSS 0% CVSS 9.3
CRITICAL PATCH Act Now

Remote unauthenticated command injection in Open XDMoD versions 9.5.0 through 11.0.2 allows attackers to execute arbitrary system commands on the web server with the privileges of the web server process. The flaw carries a CVSS 4.0 score of 9.3 and was privately reported on 2026-04-06; no public exploit identified at time of analysis, and there is no evidence of in-the-wild exploitation per the vendor advisory. A fix is available in Open XDMoD 11.0.3, released 2026-05-12.

Command Injection Open Xdmod
NVD GitHub VulDB
EPSS 0% CVSS 9.8
CRITICAL Act Now

An issue was discovered in Open XDMoD through 7.5.0. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

PHP Authentication Bypass Open Xdmod
NVD GitHub VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy