Description
OpenXDMoD is an open framework for collecting and analyzing HPC metrics. Starting in version 9.5.0 and prior to version 11.0.3, an attacker can remotely execute arbitrary system commands on the web server hosting Open XDMoD with the privileges of the web server process. This could allow an attacker to read or modify application data, alter system configuration, or disrupt service availability. All deployments of Open XDMoD versions 9.5.0 through 11.0.2 (inclusive) are impacted. This issue was reported privately on 2026-04-06, and at this time there is no evidence that this vulnerability has been exploited in the wild. The vulnerability was patched in Open XDMoD 11.0.3 on 2026-05-12. As a workaround, apply the patch manually.
Published: 2026-06-05
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Open XDMoD versions 9.5.0 through 11.0.2 allow an attacker to inject operating‑system commands via an unauthenticated web request, resulting in execution of arbitrary commands with the privileges of the web server process. The attacker can read or modify application data, alter system configuration, or disrupt service availability. The vulnerability is a classic command‑injection flaw (CWE‑78).

Affected Systems

The affected product is Open XDMoD from ubccr:xdmod. All deployments running any Open XDMoD version from 9.5.0 up to and including 11.0.2 are impacted. The patch that addresses the flaw is included in version 11.0.3, released on 2026‑05‑12.

Risk and Exploitability

The CVSS score of 9.3 labels this vulnerability as critical, and the EPSS score is not available, but no wild exploitation evidence has been reported. The flaw can be exploited by issuing a carefully crafted HTTP request to a vulnerable Open XDMoD installation that is reachable over the network. Once triggered, the attacker gains the same privileges as the web server process, giving full control over the host. The vulnerability is not listed in the CISA KEV catalog, but the high severity and remote nature warrant immediate attention.

Generated by OpenCVE AI on June 5, 2026 at 21:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Open XDMoD version 11.0.3 or later, which removes the command‑injection flaw.
  • If an upgrade is not immediately feasible, apply the manual patch GHSA-29qm-7w4v-43fw-9_5_0-11_0_2.patch to all affected instances.
  • Reconfigure the web server to run under the least privileged account necessary for the service, limiting the damage potential of any remaining command‑execution capability.

Generated by OpenCVE AI on June 5, 2026 at 21:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Buffalo
Buffalo open Xdmod
CPEs cpe:2.3:a:buffalo:open_xdmod:*:*:*:*:*:*:*:*
Vendors & Products Buffalo
Buffalo open Xdmod
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Sun, 07 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
First Time appeared Ubccr
Ubccr xdmod
Vendors & Products Ubccr
Ubccr xdmod

Fri, 05 Jun 2026 21:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
Description OpenXDMoD is an open framework for collecting and analyzing HPC metrics. Starting in version 9.5.0 and prior to version 11.0.3, an attacker can remotely execute arbitrary system commands on the web server hosting Open XDMoD with the privileges of the web server process. This could allow an attacker to read or modify application data, alter system configuration, or disrupt service availability. All deployments of Open XDMoD versions 9.5.0 through 11.0.2 (inclusive) are impacted. This issue was reported privately on 2026-04-06, and at this time there is no evidence that this vulnerability has been exploited in the wild. The vulnerability was patched in Open XDMoD 11.0.3 on 2026-05-12. As a workaround, apply the patch manually.
Title Open XDMoD Vulnerable to Unauthenticated Remote Code Execution (RCE) via OS Command Injection
Weaknesses CWE-78
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Buffalo Open Xdmod
Ubccr Xdmod
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-05T20:26:14.285Z

Reserved: 2026-05-13T07:45:21.251Z

Link: CVE-2026-45777

cve-icon Vulnrichment

Updated: 2026-06-05T20:26:07.399Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-05T20:17:32.687

Modified: 2026-06-10T21:06:27.410

Link: CVE-2026-45777

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-07T11:15:58Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')