Description
openDCIM version 23.04, through commit 4467e9c4, contains an OS command injection vulnerability in report_network_map.php. The application retrieves the 'dot' configuration parameter from the database and passes it directly to exec() without validation or sanitization. If an attacker can modify the fac_Config.dot value, arbitrary commands may be executed in the context of the web server process.
Published: 2026-02-27
Score: 9.3 Critical
EPSS: 31.4% Moderate
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

openDCIM version 23.04 contains an OS command injection flaw in report_network_map.php where the application retrieves the 'dot' configuration from the database and passes it directly to PHP's exec() call without validation or sanitization. If an attacker can modify the fac_Config.dot value, arbitrary shell commands can be executed in the context of the web server process, giving full remote code execution and control over the system.

Affected Systems

The affected product is openDCIM version 23.04, as indicated by the commit 4467e9c4. Only installations running this or earlier patched builds are susceptible. The vulnerability is not tied to any other version or vendor as per the CNA data, so the risk is confined to this specific component.

Risk and Exploitability

The CVSS score of 9.3 classifies this flaw as critical. The EPSS rate of 31% indicates a high probability of exploitation in the wild. The likely attack vector is remote, through the web application or database interface that allows modification of the fac_Config.dot field; based on the description it is inferred that an attacker must gain write access to the database configuration to exploit the vulnerability. The vulnerability is currently not listed in the CISA KEV catalog, but the high severity and exploit probability warrant urgent remediation.

Generated by OpenCVE AI on May 12, 2026 at 02:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor patch from PR 1664 or upgrade to a later release that includes the fix.
  • Ensure the dot configuration parameter is either removed or properly sanitized before being passed to any shell command, and verify that only trusted values are accepted.
  • Restrict write privileges on the database configuration for untrusted users and monitor for unauthorized changes to the fac_Config.dot field.

Generated by OpenCVE AI on May 12, 2026 at 02:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 01:15:00 +0000

Type Values Removed Values Added
Description openDCIM version 23.04, through commit 4467e9c4, contains an OS command injection vulnerability in report_network_map.php. The application retrieves the 'dot' configuration parameter from the database and passes it directly to exec() without validation or sanitation. If an attacker can modify the fac_Config.dot value, arbitrary commands may be executed in the context of the web server process. openDCIM version 23.04, through commit 4467e9c4, contains an OS command injection vulnerability in report_network_map.php. The application retrieves the 'dot' configuration parameter from the database and passes it directly to exec() without validation or sanitization. If an attacker can modify the fac_Config.dot value, arbitrary commands may be executed in the context of the web server process.

Tue, 10 Mar 2026 14:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:opendcim:opendcim:23.04:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Mon, 02 Mar 2026 22:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 02 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Opendcim
Opendcim opendcim
Vendors & Products Opendcim
Opendcim opendcim

Fri, 27 Feb 2026 22:30:00 +0000

Type Values Removed Values Added
Description openDCIM version 23.04, through commit 4467e9c4, contains an OS command injection vulnerability in report_network_map.php. The application retrieves the 'dot' configuration parameter from the database and passes it directly to exec() without validation or sanitation. If an attacker can modify the fac_Config.dot value, arbitrary commands may be executed in the context of the web server process.
Title openDCIM <= 23.04 OS Command Injection via dot Configuration Parameter
Weaknesses CWE-78
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Opendcim Opendcim
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-12T01:02:22.084Z

Reserved: 2026-02-27T21:07:55.466Z

Link: CVE-2026-28517

cve-icon Vulnrichment

Updated: 2026-03-02T21:47:49.279Z

cve-icon NVD

Status : Modified

Published: 2026-02-27T23:16:06.357

Modified: 2026-05-12T01:16:45.947

Link: CVE-2026-28517

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T02:30:05Z

Weaknesses