CVE-2026-28517

Name of the Vulnerable Software and Affected Versions openDCIM versions 23.04 through commit 4467e9c4

Description The application retrieves the dot configuration parameter from the database and passes it directly to the exec() function without validation or sanitation. If an attacker can modify the fac Config.dot value, arbitrary commands may be executed in the context of the web server process. The vulnerable file is report network map.php.

Recommendations Versions prior to commit 4467e9c4 are affected. At the moment, there is no information about a newer version that contains a fix for this vulnerability.