Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.3
openDCIM: Untrusted Network Map Data Can Run Malicious Commands
CVE-2026-28517
Summary
An attacker may be able to run unauthorized system commands on the server running openDCIM, potentially gaining control of the server. This is possible if the attacker can modify the network map configuration. To protect against this, update to the latest version of openDCIM or modify the network map configuration to prevent unauthorized access.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| opendcim | opendcim | 23.04 | – |
Original title
openDCIM version 23.04, through commit 4467e9c4, contains an OS command injection vulnerability in report_network_map.php. The application retrieves the 'dot' configuration parameter from the datab...
Original description
openDCIM version 23.04, through commit 4467e9c4, contains an OS command injection vulnerability in report_network_map.php. The application retrieves the 'dot' configuration parameter from the database and passes it directly to exec() without validation or sanitation. If an attacker can modify the fac_Config.dot value, arbitrary commands may be executed in the context of the web server process.
nvd CVSS4.0
9.3
Vulnerability type
CWE-78
OS Command Injection
- https://chocapikk.com/posts/2026/opendcim-sqli-to-rce/
- https://github.com/Chocapikk/opendcim-exploit
- https://github.com/opendcim/openDCIM/blob/4467e9c4/report_network_map.php#L467
- https://github.com/opendcim/openDCIM/blob/4467e9c4/report_network_map.php#L7
- https://github.com/opendcim/openDCIM/pull/1664
- https://github.com/opendcim/openDCIM/pull/1664/changes/8f7ab2a710086a9c8c2695607...
- https://www.vulncheck.com/advisories/opendcim-os-command-injection-via-dot-confi...
Published: 27 Feb 2026 · Updated: 13 Mar 2026 · First seen: 6 Mar 2026