cbcvebase.
CVE-2026-28516
published 2026-02-27

CVE-2026-28516: openDCIM version 23.04, through commit 4467e9c4, contains a SQL injection vulnerability in Config::UpdateParameter. The install.php and container-install.php…

PriorityP263high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
0.97%
57.5th percentile
openDCIM version 23.04, through commit 4467e9c4, contains a SQL injection vulnerability in Config::UpdateParameter. The install.php and container-install.php handlers pass user-supplied input directly into SQL statements using string interpolation without prepared statements or proper input sanitation. An authenticated user can execute arbitrary SQL statements against the underlying database.

Affected

2 ranges
VendorProductVersion rangeFixed in
opendcimopendcim<= 23.04
opendcimopendcim

Detection & IOCsextracted from sources · hover to see the quote

path/install.php
path/container-install.php
path/report_network_map.php
commandSQL injection via LDAP configuration form to overwrite Graphviz dot binary path in fac_Config
  • Monitor HTTP POST/GET requests to install.php and container-install.php on openDCIM deployments; these endpoints should not be accessible post-installation and any traffic to them is suspicious.
  • The exploit chain requires exactly five HTTP requests to achieve RCE and spawn a reverse shell; correlate sequences of rapid requests across install.php and report_network_map.php from the same source IP.
  • Flag modifications to the fac_Config table's Graphviz dot binary path column in the openDCIM database, as the exploit overwrites this value to achieve command injection.
  • ·The SQL injection vulnerability is exploitable by authenticated users in standard deployments; however, in Docker deployments where REMOTE_USER is set without authentication enforcement, install.php may be reachable without credentials.
  • ·The vulnerability affects openDCIM version 23.04 through commit 4467e9c4; the Metasploit module confirms the range extends through version 25.01 on Ubuntu with Apache.
  • ·Full RCE via the exploit chain depends on the presence of the Graphviz dot binary path being configurable in fac_Config and report_network_map.php being accessible; the exploit restores the original config after payload delivery.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.