CVE-2026-28516 CRITICAL

CVE-2026-28516: openDCIM <= 23.04 SQL Injection in Config::UpdateParameter

Vendor Opendcim
Product openDCIM
Weakness CWE-89 · SQLi
Published February 27, 2026
Last update May 11, 2026
View on NVD All CVEs

CVSS base score

9.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

openDCIM version 23.04, through commit 4467e9c4, contains a SQL injection vulnerability in Config::UpdateParameter. The install.php and container-install.php handlers pass user-supplied input directly into SQL statements using string interpolation without prepared statements or proper input sanitation. An authenticated user can execute arbitrary SQL statements against the underlying database.

Key dates

02Disclosure timeline

February 27, 2026 CVE published
May 11, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2025-11397 SourceCodester Hotel and Lodge Management System login.php sql injection CVE-2025-6339 ponaravindb Hospital Management System func3.php sql injection CVE-2024-11121 上海灵当信息科技有限公司 Lingdang CRM index.php sql injection CVE-2023-1954 SourceCodester Online Computer and Laptop Store manage.php save_inventory sql injection CVE-2025-32307 WordPress Chameleon HTML5 Audio Player With/Without Playlist plugin <= 3.5.6 - SQL Injection Vulnerability