Description
OpenXDMoD is an open framework for collecting and analyzing HPC metrics. An SQL injection vulnerability exists in Open XDMoD versions prior to 10.0.3 that allows an unauthenticated remote attacker to execute arbitrary SQL statements. Exploitation requires no authentication or user interaction and can result in complete compromise of the underlying database. All deployments of Open XDMoD prior to 10.0.3 are impacted. This issue was discovered on 2023-08-03 and patched on 2023-08-04. At this time there is no evidence that this vulnerability has been exploited in the wild. The vulnerability was patched in Open XDMoD 10.0.3 on 2023-08-04. As a workaround, apply the patch manually.
Published: 2026-06-05
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An SQL injection flaw exists in Open XDMoD versions before 10.0.3 that permits an unauthenticated attacker to run arbitrary SQL commands on the database. The vulnerability is a classic injection flaw (CWE‑89), enabling attackers to read, modify, or delete any data in the application’s database. The post‑exploitation consequence can be a complete database compromise, leading to loss of integrity, confidentiality, and availability of HPC metrics and user data.

Affected Systems

Open XDMoD, an open‑source framework for HPC metrics, from the ubccr project. All deployments running any version earlier than 10.0.3 are affected. No other products or vendors are listed as affected.

Risk and Exploitability

The CVSS score of 9.3 indicates critical severity. While the EPSS score is not available, the public advisory confirms that exploitation requires no authentication or user interaction, meaning an attacker can trigger it from any network location that can reach the application. The vulnerability was patched on 2023‑08‑04, and there is no evidence of wild exploitation yet. The CISA KEV catalog does not list this issue, but the high CVSS and unauthenticated remote attack vector warrant proactive remediation.

Generated by OpenCVE AI on June 5, 2026 at 21:37 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Open XDMoD to version 10.0.3 or later.
  • If an immediate upgrade is not feasible, download and apply the official patch from open.xdmod.org that addresses the injection in the relevant release series.
  • Configure the database so that only the application’s service account can connect; deny all other direct database access to reduce the attack surface.

Generated by OpenCVE AI on June 5, 2026 at 21:37 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 10 Jun 2026 21:15:00 +0000

Type Values Removed Values Added
First Time appeared Buffalo
Buffalo open Xdmod
CPEs cpe:2.3:a:buffalo:open_xdmod:*:*:*:*:*:*:*:*
Vendors & Products Buffalo
Buffalo open Xdmod
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Mon, 08 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Sun, 07 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
First Time appeared Ubccr
Ubccr xdmod
Vendors & Products Ubccr
Ubccr xdmod

Fri, 05 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
Description OpenXDMoD is an open framework for collecting and analyzing HPC metrics. An SQL injection vulnerability exists in Open XDMoD versions prior to 10.0.3 that allows an unauthenticated remote attacker to execute arbitrary SQL statements. Exploitation requires no authentication or user interaction and can result in complete compromise of the underlying database. All deployments of Open XDMoD prior to 10.0.3 are impacted. This issue was discovered on 2023-08-03 and patched on 2023-08-04. At this time there is no evidence that this vulnerability has been exploited in the wild. The vulnerability was patched in Open XDMoD 10.0.3 on 2023-08-04. As a workaround, apply the patch manually.
Title Open XDMoD Vulnerable to Unauthenticated SQL Injection Leading to Full Database Compromise
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Buffalo Open Xdmod
Ubccr Xdmod
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-08T13:08:49.823Z

Reserved: 2026-05-13T07:45:21.251Z

Link: CVE-2026-45779

cve-icon Vulnrichment

Updated: 2026-06-08T13:08:44.254Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-05T20:17:33.023

Modified: 2026-06-10T21:04:01.193

Link: CVE-2026-45779

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-07T11:15:52Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')