Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.3
openDCIM: Authenticated users can execute arbitrary database queries
CVE-2026-28516
Summary
An authenticated user can potentially take control of the openDCIM database by exploiting a security flaw in the way user input is handled. This could allow them to view, modify, or delete sensitive data. To protect your system, update to the latest version of openDCIM or apply a patch if available.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| opendcim | opendcim | 23.04 | – |
Original title
openDCIM version 23.04, through commit 4467e9c4, contains a SQL injection vulnerability in Config::UpdateParameter. The install.php and container-install.php handlers pass user-supplied input direc...
Original description
openDCIM version 23.04, through commit 4467e9c4, contains a SQL injection vulnerability in Config::UpdateParameter. The install.php and container-install.php handlers pass user-supplied input directly into SQL statements using string interpolation without prepared statements or proper input sanitation. An authenticated user can execute arbitrary SQL statements against the underlying database.
nvd CVSS4.0
9.3
Vulnerability type
CWE-89
SQL Injection
- https://chocapikk.com/posts/2026/opendcim-sqli-to-rce/
- https://github.com/Chocapikk/opendcim-exploit
- https://github.com/opendcim/openDCIM/blob/4467e9c4/config.inc.php#L75-L90
- https://github.com/opendcim/openDCIM/blob/4467e9c4/install.php#L420-L434
- https://github.com/opendcim/openDCIM/pull/1664
- https://github.com/opendcim/openDCIM/pull/1664/changes/8f7ab2a710086a9c8c2695607...
- https://www.vulncheck.com/advisories/opendcim-sql-injection-in-config-updatepara...
Published: 27 Feb 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026