Critical severity9.8NVD Advisory· Published Feb 27, 2026· Updated May 12, 2026
CVE-2026-28517
CVE-2026-28517
Description
openDCIM version 23.04, through commit 4467e9c4, contains an OS command injection vulnerability in report_network_map.php. The application retrieves the 'dot' configuration parameter from the database and passes it directly to exec() without validation or sanitization. If an attacker can modify the fac_Config.dot value, arbitrary commands may be executed in the context of the web server process.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/opendcim/openDCIM/pull/1664nvdIssue TrackingPatch
- github.com/opendcim/openDCIM/pull/1664/changes/8f7ab2a710086a9c8c269560793e47c577ddda09nvdIssue TrackingPatch
- chocapikk.com/posts/2026/opendcim-sqli-to-rce/nvdExploitThird Party Advisory
- www.vulncheck.com/advisories/opendcim-os-command-injection-via-dot-configuration-parameternvdThird Party Advisory
- github.com/opendcim/openDCIM/blob/4467e9c4/report_network_map.phpnvdProduct
- github.com/opendcim/openDCIM/blob/4467e9c4/report_network_map.phpnvdProduct
News mentions
1- Metasploit Wrap-Up 04/17/2026Rapid7 Blog · Apr 17, 2026