CVE-2019-25489 - Homey BNB V4 SQL Injection via ajax_refresh_subtotal
CVE ID : CVE-2019-25489
Published : Feb. 27, 2026, 6:16 p.m. | 1 hour, 3 minutes ago
Description : Homey BNB V4 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the hosting_id parameter. Attackers can send GET requests to the rooms/ajax_refresh_subtotal endpoint with malicious hosting_id values to extract sensitive database information or cause denial of service.
Severity: 8.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2019-25489
Published : Feb. 27, 2026, 6:16 p.m. | 1 hour, 3 minutes ago
Description : Homey BNB V4 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the hosting_id parameter. Attackers can send GET requests to the rooms/ajax_refresh_subtotal endpoint with malicious hosting_id values to extract sensitive database information or cause denial of service.
Severity: 8.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2019-25490 - Homey BNB V4 SQL Injection via admin edit.php
CVE ID : CVE-2019-25490
Published : Feb. 27, 2026, 6:16 p.m. | 1 hour, 3 minutes ago
Description : Homey BNB V4 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'id' parameter. Attackers can send GET requests to the admin/edit.php endpoint with time-based SQL injection payloads to extract sensitive database information.
Severity: 8.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2019-25490
Published : Feb. 27, 2026, 6:16 p.m. | 1 hour, 3 minutes ago
Description : Homey BNB V4 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'id' parameter. Attackers can send GET requests to the admin/edit.php endpoint with time-based SQL injection payloads to extract sensitive database information.
Severity: 8.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2019-25491 - Homey BNB V4 SQL Injection via cms_getpagetitle.php
CVE ID : CVE-2019-25491
Published : Feb. 27, 2026, 6:16 p.m. | 1 hour, 3 minutes ago
Description : Homey BNB V4 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the catid parameter. Attackers can send GET requests to the admin/cms_getpagetitle.php endpoint with malicious catid values to extract sensitive database information.
Severity: 8.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2019-25491
Published : Feb. 27, 2026, 6:16 p.m. | 1 hour, 3 minutes ago
Description : Homey BNB V4 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the catid parameter. Attackers can send GET requests to the admin/cms_getpagetitle.php endpoint with malicious catid values to extract sensitive database information.
Severity: 8.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2019-25492 - Homey BNB V4 SQL Injection via getcmsdata.php
CVE ID : CVE-2019-25492
Published : Feb. 27, 2026, 6:16 p.m. | 1 hour, 3 minutes ago
Description : Homey BNB V4 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'pt' parameter. Attackers can send GET requests to the admin/getcmsdata.php endpoint with malicious 'pt' values to extract sensitive database information.
Severity: 8.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2019-25492
Published : Feb. 27, 2026, 6:16 p.m. | 1 hour, 3 minutes ago
Description : Homey BNB V4 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'pt' parameter. Attackers can send GET requests to the admin/getcmsdata.php endpoint with malicious 'pt' values to extract sensitive database information.
Severity: 8.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2019-25493 - Homey BNB V4 SQL Injection via getrecord.php
CVE ID : CVE-2019-25493
Published : Feb. 27, 2026, 6:16 p.m. | 1 hour, 3 minutes ago
Description : Homey BNB V4 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'val' parameter. Attackers can send GET requests to the admin/getrecord.php endpoint with malicious 'val' values to extract sensitive database information.
Severity: 8.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2019-25493
Published : Feb. 27, 2026, 6:16 p.m. | 1 hour, 3 minutes ago
Description : Homey BNB V4 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'val' parameter. Attackers can send GET requests to the admin/getrecord.php endpoint with malicious 'val' values to extract sensitive database information.
Severity: 8.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2019-25494 - Homey BNB V4 SQL Injection Authentication Bypass via Admin Panel
CVE ID : CVE-2019-25494
Published : Feb. 27, 2026, 6:16 p.m. | 1 hour, 3 minutes ago
Description : Homey BNB V4 contains an SQL injection vulnerability in the administration panel login that allows unauthenticated attackers to bypass authentication by injecting SQL syntax into username and password fields. Attackers can submit SQL operators like '=' 'or' in both credentials to manipulate the authentication query and gain unauthorized access to the admin panel.
Severity: 8.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2019-25494
Published : Feb. 27, 2026, 6:16 p.m. | 1 hour, 3 minutes ago
Description : Homey BNB V4 contains an SQL injection vulnerability in the administration panel login that allows unauthenticated attackers to bypass authentication by injecting SQL syntax into username and password fields. Attackers can submit SQL operators like '=' 'or' in both credentials to manipulate the authentication query and gain unauthorized access to the admin panel.
Severity: 8.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2019-25495 - osCommerce 2.3.4.1 SQL Injection via reviews_id Parameter
CVE ID : CVE-2019-25495
Published : Feb. 27, 2026, 6:16 p.m. | 1 hour, 3 minutes ago
Description : osCommerce 2.3.4.1 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the reviews_id parameter. Attackers can send GET requests to product_reviews_write.php with malicious reviews_id values using boolean-based SQL injection payloads to extract sensitive database information.
Severity: 8.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2019-25495
Published : Feb. 27, 2026, 6:16 p.m. | 1 hour, 3 minutes ago
Description : osCommerce 2.3.4.1 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the reviews_id parameter. Attackers can send GET requests to product_reviews_write.php with malicious reviews_id values using boolean-based SQL injection payloads to extract sensitive database information.
Severity: 8.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2019-25496 - osCommerce 2.3.4.1 SQL Injection via products_id Parameter
CVE ID : CVE-2019-25496
Published : Feb. 27, 2026, 6:16 p.m. | 1 hour, 3 minutes ago
Description : osCommerce 2.3.4.1 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the products_id parameter. Attackers can modify the products_id value in product_info.php requests and append boolean-based SQL injection payloads to extract sensitive database information.
Severity: 8.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2019-25496
Published : Feb. 27, 2026, 6:16 p.m. | 1 hour, 3 minutes ago
Description : osCommerce 2.3.4.1 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the products_id parameter. Attackers can modify the products_id value in product_info.php requests and append boolean-based SQL injection payloads to extract sensitive database information.
Severity: 8.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2019-25497 - osCommerce 2.3.4.1 SQL Injection via currency Parameter
CVE ID : CVE-2019-25497
Published : Feb. 27, 2026, 6:16 p.m. | 1 hour, 3 minutes ago
Description : osCommerce 2.3.4.1 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the currency parameter. Attackers can send GET requests to shopping_cart.php with malicious currency values using boolean-based SQL injection payloads to extract sensitive database information.
Severity: 8.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2019-25497
Published : Feb. 27, 2026, 6:16 p.m. | 1 hour, 3 minutes ago
Description : osCommerce 2.3.4.1 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the currency parameter. Attackers can send GET requests to shopping_cart.php with malicious currency values using boolean-based SQL injection payloads to extract sensitive database information.
Severity: 8.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-21619 - Unsafe Deserialization of Erlang Terms in hex_core
CVE ID : CVE-2026-21619
Published : Feb. 27, 2026, 6:16 p.m. | 1 hour, 3 minutes ago
Description : Uncontrolled Resource Consumption, Deserialization of Untrusted Data vulnerability in hexpm hex_core (hex_api modules), hexpm hex (mix_hex_api modules), erlang rebar3 (r3_hex_api modules) allows Object Injection, Excessive Allocation. This vulnerability is associated with program files src/hex_api.erl, src/mix_hex_api.erl, apps/rebar/src/vendored/r3_hex_api.erl and program routines hex_core:request/4, mix_hex_api:request/4, r3_hex_api:request/4. This issue affects hex_core: from 0.1.0 before 0.12.1; hex: from 2.3.0 before 2.3.2; rebar3: from 3.9.1 before 3.27.0.
Severity: 2.0 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-21619
Published : Feb. 27, 2026, 6:16 p.m. | 1 hour, 3 minutes ago
Description : Uncontrolled Resource Consumption, Deserialization of Untrusted Data vulnerability in hexpm hex_core (hex_api modules), hexpm hex (mix_hex_api modules), erlang rebar3 (r3_hex_api modules) allows Object Injection, Excessive Allocation. This vulnerability is associated with program files src/hex_api.erl, src/mix_hex_api.erl, apps/rebar/src/vendored/r3_hex_api.erl and program routines hex_core:request/4, mix_hex_api:request/4, r3_hex_api:request/4. This issue affects hex_core: from 0.1.0 before 0.12.1; hex: from 2.3.0 before 2.3.2; rebar3: from 3.9.1 before 3.27.0.
Severity: 2.0 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-26861 - CleverTap Web SDK Cross-Site Scripting (XSS)
CVE ID : CVE-2026-26861
Published : Feb. 27, 2026, 6:16 p.m. | 1 hour, 3 minutes ago
Description : CleverTap Web SDK version 1.15.2 and earlier is vulnerable to Cross-Site Scripting (XSS) via window.postMessage. The handleCustomHtmlPreviewPostMessageEvent function in src/util/campaignRender/nativeDisplay.js performs insufficient origin validation using the includes() method, which can be bypassed by an attacker using a subdomain
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-26861
Published : Feb. 27, 2026, 6:16 p.m. | 1 hour, 3 minutes ago
Description : CleverTap Web SDK version 1.15.2 and earlier is vulnerable to Cross-Site Scripting (XSS) via window.postMessage. The handleCustomHtmlPreviewPostMessageEvent function in src/util/campaignRender/nativeDisplay.js performs insufficient origin validation using the includes() method, which can be bypassed by an attacker using a subdomain
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-26862 - CleverTap Web SDK DOM-Based XSS
CVE ID : CVE-2026-26862
Published : Feb. 27, 2026, 6:16 p.m. | 1 hour, 3 minutes ago
Description : CleverTap Web SDK version 1.15.2 and earlier is vulnerable to DOM-based Cross-Site Scripting (XSS) via window.postMessage in the Visual Builder module. The origin validation in src/modules/visualBuilder/pageBuilder.js (lines 56-60) uses the includes() method to verify the originUrl contains "dashboard.clevertap.com", which can be bypassed by an attacker using a crafted subdomain
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-26862
Published : Feb. 27, 2026, 6:16 p.m. | 1 hour, 3 minutes ago
Description : CleverTap Web SDK version 1.15.2 and earlier is vulnerable to DOM-based Cross-Site Scripting (XSS) via window.postMessage in the Visual Builder module. The origin validation in src/modules/visualBuilder/pageBuilder.js (lines 56-60) uses the includes() method to verify the originUrl contains "dashboard.clevertap.com", which can be bypassed by an attacker using a crafted subdomain
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-27751 - SODOLA SL902-SWTGW124AS <= 200.1.20 Use of Default Credentials
CVE ID : CVE-2026-27751
Published : Feb. 27, 2026, 6:16 p.m. | 1 hour, 3 minutes ago
Description : SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 contain a default credentials vulnerability that allows remote attackers to obtain administrative access to the management interface. Attackers can authenticate using the hardcoded default credentials without password change enforcement to gain full administrative control of the device.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-27751
Published : Feb. 27, 2026, 6:16 p.m. | 1 hour, 3 minutes ago
Description : SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 contain a default credentials vulnerability that allows remote attackers to obtain administrative access to the management interface. Attackers can authenticate using the hardcoded default credentials without password change enforcement to gain full administrative control of the device.
Severity: 9.8 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-27752 - SODOLA SL902-SWTGW124AS <= 200.1.20 Cleartext Credential Transmission
CVE ID : CVE-2026-27752
Published : Feb. 27, 2026, 6:16 p.m. | 1 hour, 3 minutes ago
Description : SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 transmit authentication credentials over unencrypted HTTP, allowing attackers to capture credentials. An attacker positioned to observe network traffic between a user and the device can intercept credentials and reuse them to gain administrative access to the gateway.
Severity: 8.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-27752
Published : Feb. 27, 2026, 6:16 p.m. | 1 hour, 3 minutes ago
Description : SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 transmit authentication credentials over unencrypted HTTP, allowing attackers to capture credentials. An attacker positioned to observe network traffic between a user and the device can intercept credentials and reuse them to gain administrative access to the gateway.
Severity: 8.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-27753 - SODOLA SL902-SWTGW124AS <= 200.1.20 Improper Login Rate Limiting
CVE ID : CVE-2026-27753
Published : Feb. 27, 2026, 6:16 p.m. | 1 hour, 3 minutes ago
Description : SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 contain an authentication bypass vulnerability that allows remote attackers to perform unlimited login attempts against the management interface. Attackers can conduct online password guessing attacks without account lockout or rate limiting restrictions to gain unauthorized access to the device management interface.
Severity: 6.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-27753
Published : Feb. 27, 2026, 6:16 p.m. | 1 hour, 3 minutes ago
Description : SODOLA SL902-SWTGW124AS firmware versions through 200.1.20 contain an authentication bypass vulnerability that allows remote attackers to perform unlimited login attempts against the management interface. Attackers can conduct online password guessing attacks without account lockout or rate limiting restrictions to gain unauthorized access to the device management interface.
Severity: 6.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-2880 - @fastify/middie has an improper path normalization vulnerability
CVE ID : CVE-2026-2880
Published : Feb. 27, 2026, 6:25 p.m. | 54 minutes ago
Description : A vulnerability in @fastify/middie versions < 9.2.0 can result in authentication/authorization bypass when using path-scoped middleware (for example, app.use('/secret', auth)). When Fastify router normalization options are enabled (such as ignoreDuplicateSlashes, useSemicolonDelimiter, and related trailing-slash behavior), crafted request paths may bypass middleware checks while still being routed to protected handlers.
Severity: 8.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-2880
Published : Feb. 27, 2026, 6:25 p.m. | 54 minutes ago
Description : A vulnerability in @fastify/middie versions < 9.2.0 can result in authentication/authorization bypass when using path-scoped middleware (for example, app.use('/secret', auth)). When Fastify router normalization options are enabled (such as ignoreDuplicateSlashes, useSemicolonDelimiter, and related trailing-slash behavior), crafted request paths may bypass middleware checks while still being routed to protected handlers.
Severity: 8.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-22716 - VMware Workstation and VMware Fusion out-of-bound read vulnerability
CVE ID : CVE-2026-22716
Published : Feb. 27, 2026, 7:01 p.m. | 18 minutes ago
Description : Out-of-bound read vulnerability in VMware Workstation 25H1 and below on any platform allows an actor with non-administrative privileges on a guest VM to obtain limited information disclosure from the machine where VMware Workstation is installed.
Severity: 2.7 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-22716
Published : Feb. 27, 2026, 7:01 p.m. | 18 minutes ago
Description : Out-of-bound read vulnerability in VMware Workstation 25H1 and below on any platform allows an actor with non-administrative privileges on a guest VM to obtain limited information disclosure from the machine where VMware Workstation is installed.
Severity: 2.7 | LOW
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-28515 - openDCIM <= 23.04 Missing Authorization in install.php
CVE ID : CVE-2026-28515
Published : Feb. 27, 2026, 10:11 p.m. | 1 hour, 6 minutes ago
Description : openDCIM version 23.04, through commit 4467e9c4, contains a missing authorization vulnerability in install.php and container-install.php. The installer and upgrade handler expose LDAP configuration functionality without enforcing application role checks. Any authenticated user can access this functionality regardless of assigned privileges. In deployments where REMOTE_USER is set without authentication enforcement, the endpoint may be accessible without credentials. This allows unauthorized modification of application configuration.
Severity: 9.3 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-28515
Published : Feb. 27, 2026, 10:11 p.m. | 1 hour, 6 minutes ago
Description : openDCIM version 23.04, through commit 4467e9c4, contains a missing authorization vulnerability in install.php and container-install.php. The installer and upgrade handler expose LDAP configuration functionality without enforcing application role checks. Any authenticated user can access this functionality regardless of assigned privileges. In deployments where REMOTE_USER is set without authentication enforcement, the endpoint may be accessible without credentials. This allows unauthorized modification of application configuration.
Severity: 9.3 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-28516 - openDCIM <= 23.04 SQL Injection in Config::UpdateParameter
CVE ID : CVE-2026-28516
Published : Feb. 27, 2026, 10:11 p.m. | 1 hour, 6 minutes ago
Description : openDCIM version 23.04, through commit 4467e9c4, contains a SQL injection vulnerability in Config::UpdateParameter. The install.php and container-install.php handlers pass user-supplied input directly into SQL statements using string interpolation without prepared statements or proper input sanitation. An authenticated user can execute arbitrary SQL statements against the underlying database.
Severity: 9.3 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-28516
Published : Feb. 27, 2026, 10:11 p.m. | 1 hour, 6 minutes ago
Description : openDCIM version 23.04, through commit 4467e9c4, contains a SQL injection vulnerability in Config::UpdateParameter. The install.php and container-install.php handlers pass user-supplied input directly into SQL statements using string interpolation without prepared statements or proper input sanitation. An authenticated user can execute arbitrary SQL statements against the underlying database.
Severity: 9.3 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-28423 - Statamic Vulnerable to Server-Side Request Forgery via Glide
CVE ID : CVE-2026-28423
Published : Feb. 27, 2026, 10:11 p.m. | 1 hour, 6 minutes ago
Description : Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 and 6.4.0, when Glide image manipulation is used in insecure mode (which is not the default), the image proxy can be abused by an unauthenticated user to make the server send HTTP requests to arbitrary URLs—either via the URL directly or via the watermark feature. That can allow access to internal services, cloud metadata endpoints, and other hosts reachable from the server. This has been fixed in 5.73.11 and 6.4.0.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-28423
Published : Feb. 27, 2026, 10:11 p.m. | 1 hour, 6 minutes ago
Description : Statmatic is a Laravel and Git powered content management system (CMS). Prior to versions 5.73.11 and 6.4.0, when Glide image manipulation is used in insecure mode (which is not the default), the image proxy can be abused by an unauthenticated user to make the server send HTTP requests to arbitrary URLs—either via the URL directly or via the watermark feature. That can allow access to internal services, cloud metadata endpoints, and other hosts reachable from the server. This has been fixed in 5.73.11 and 6.4.0.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-28517 - openDCIM <= 23.04 OS Command Injection via dot Configuration Parameter
CVE ID : CVE-2026-28517
Published : Feb. 27, 2026, 10:12 p.m. | 1 hour, 6 minutes ago
Description : openDCIM version 23.04, through commit 4467e9c4, contains an OS command injection vulnerability in report_network_map.php. The application retrieves the 'dot' configuration parameter from the database and passes it directly to exec() without validation or sanitation. If an attacker can modify the fac_Config.dot value, arbitrary commands may be executed in the context of the web server process.
Severity: 9.3 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-28517
Published : Feb. 27, 2026, 10:12 p.m. | 1 hour, 6 minutes ago
Description : openDCIM version 23.04, through commit 4467e9c4, contains an OS command injection vulnerability in report_network_map.php. The application retrieves the 'dot' configuration parameter from the database and passes it directly to exec() without validation or sanitation. If an attacker can modify the fac_Config.dot value, arbitrary commands may be executed in the context of the web server process.
Severity: 9.3 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...