openDCIM version 23.04, through commit 4467e9c4, contains a SQL injection vulnerability in Config::UpdateParameter. The install.php and container-install.php handlers pass user-supplied input directly into SQL statements using string interpolation without prepared statements or proper input sanitation. An authenticated user can execute arbitrary SQL statements against the underlying database.
{
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/28xxx/CVE-2026-28516.json",
"cna_assigner": "VulnCheck",
"cwe_ids": [
"CWE-89"
]
}{
"source": [
"AFFECTED_FIELD",
"CPE_STRING"
],
"cpe": "cpe:2.3:a:opendcim:opendcim:23.04:*:*:*:*:*:*:*",
"extracted_events": [
{
"introduced": "0"
},
{
"last_affected": "23.04"
},
{
"introduced": "23.04"
}
]
}