CVE-2026-28516

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-28516
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-28516.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-28516
Published
2026-02-27T23:16:06.180Z
Modified
2026-04-02T13:23:06.799611Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
[none]
Details

openDCIM version 23.04, through commit 4467e9c4, contains a SQL injection vulnerability in Config::UpdateParameter. The install.php and container-install.php handlers pass user-supplied input directly into SQL statements using string interpolation without prepared statements or proper input sanitation. An authenticated user can execute arbitrary SQL statements against the underlying database.

References

Affected packages

Git / github.com/opendcim/openDCIM

Affected ranges

Type
GIT
Repo
https://github.com/opendcim/openDCIM
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
5e24d4c5daff7f3db12a90594b9ad56e136fc374
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "23.04"
        }
    ]
}

Affected versions

1.*
1.3
18.*
18.01
18.02
19.*
19.01
2.*
2.0
2.0.1
2.0.2
2.1
2.1-RC0
20.*
20.01
20.02
21.*
21.01
23.*
23.01
23.02
23.03
23.04
3.*
3.0
3.1
3.2
3.2.1
3.3
4.*
4.0-beta.1
4.0-beta.2
4.0.1
4.1
4.1.1
4.2
4.2-Release
4.3
4.3.1
4.4
4.5
openDCIM-1.*
openDCIM-1.3
openDCIM-1.5
openDCIM-1.5.1
openDCIM-1.5.2
openDCIM-18.*
openDCIM-18.01
openDCIM-2.*
openDCIM-2.0-RC0
openDCIM-21.*
openDCIM-21.01
openDICM-1.*
openDICM-1.4
v4.*
v4.0
v4.0a

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-28516.json"