CVE-2026-28516

Name of the Vulnerable Software and Affected Versions openDCIM versions through 23.04 commit 4467e9c4

Description The software contains a SQL injection issue in the Config::UpdateParameter function. The install.php and container-install.php handlers directly incorporate user-provided input into SQL statements using string interpolation, lacking prepared statements or adequate input sanitization. An authenticated user can execute arbitrary SQL statements against the database. The vulnerable parameters are passed to the SQL statements without proper validation.

Recommendations Versions prior to 23.04 commit 4467e9c4 should be updated.