CVE-2026-28516

Published February 27th, 2026

View on NVD ↗

CVSS v3

8.8

HIGH

CVSS v2

N/A

Affected

PROJECTS

Description

openDCIM version 23.04, through commit 4467e9c4, contains a SQL injection vulnerability in Config::UpdateParameter. The install.php and container-install.php handlers pass user-supplied input directly into SQL statements using string interpolation without prepared statements or proper input sanitation. An authenticated user can execute arbitrary SQL statements against the underlying database.

opendcim/openDCIM

An open source (GPL v3) Data Center Inventory Management (DCIM) application.

GitHub

359

Chocapikk/opendcim-exploit

openDCIM install.php SQLi to RCE chain (CWE-862 + CWE-89 + CWE-78)

GitHub