CRITICALCVE-2026-28516Published Modified CNA VulnCheck
CVE-2026-28516: openDCIM <= 23.04 SQL Injection in Config::UpdateParameter
openDCIM version 23.04, through commit 4467e9c4, contains a SQL injection vulnerability in Config::UpdateParameter. The install.php and container-install.php handlers pass user-supplied input directly into SQL statements using string interpolation without prepared statements or proper input sanitation. An authenticated user can execute arbitrary SQL statements against the underlying database.
Metrics
- CVSS v4.0
- 9.3
- Severity
- CRITICAL
- Fixed in
- —
- Affected Products
- 1
Affected packages
- openDCIM / openDCIM≤ 23.04
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N