CVE-2026-28517
CRITICALCVSS v3
9.8
CRITICAL
EPSS Score
31.4%
exploit probability
CISA KEV
No
known exploited
Exploitation
—
SSVC status
Description
openDCIM version 23.04, through commit 4467e9c4, contains an OS command injection vulnerability in report_network_map.php. The application retrieves the 'dot' configuration parameter from the database and passes it directly to exec() without validation or sanitation. If an attacker can modify the fac_Config.dot value, arbitrary commands may be executed in the context of the web server process.
Technical Details
- CVSS v3 Vector
- 3.1
- Published
- 2/27/2026
- Last Modified
- 3/10/2026
Frequently Asked Questions
What is CVE-2026-28517?
openDCIM version 23.04, through commit 4467e9c4, contains an OS command injection vulnerability in report_network_map.php. The application retrieves the 'dot' configuration parameter from the database and passes it directly to exec() without validation or sanitation. If an attacker can modify the fac_Config.dot value, arbitrary commands may be executed in the context of the web server process.
Is CVE-2026-28517 actively exploited?
Active exploitation of CVE-2026-28517 has not been confirmed. The EPSS score is 31.4%, indicating the estimated probability of exploitation in the next 30 days.
What is the CVSS score for CVE-2026-28517?
CVE-2026-28517 has a CVSS v3 base score of 9.8 (CRITICAL severity), with vector string 3.1.
Is CVE-2026-28517 affecting your environment?
Use isMalicious to check if any of your IPs or domains are associated with this vulnerability's IOCs.