CVE-2026-45779
SQL Injection in Open XDMoD Prior to 10.0.3
Publication date: 2026-06-05
Last updated on: 2026-06-05
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openxdmod | openxdmod | to 10.0.3 (exc) |
| ubccr | open_xdmod | to 10.0.3 (exc) |
| ubccr | open_xdmod | 10.0.3 |
| ubccr | open_xdmod | to 8.6.0 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The SQL injection vulnerability in Open XDMoD prior to version 10.0.3 allows unauthenticated remote attackers to execute arbitrary SQL statements, potentially leading to complete compromise of the underlying database.
Such a compromise can result in unauthorized access, modification, or disclosure of sensitive data, which may impact compliance with data protection regulations and standards like GDPR and HIPAA that require safeguarding the confidentiality, integrity, and availability of personal and sensitive information.
Because this vulnerability can lead to a high impact on confidentiality, integrity, and availability (as indicated by its CVSS score of 9.3), organizations using affected versions of Open XDMoD may face increased risk of non-compliance if the vulnerability is exploited.
Applying the patch or upgrading to version 10.0.3 mitigates this risk by preventing SQL injection attacks.
Can you explain this vulnerability to me?
CVE-2026-45779 is an SQL injection vulnerability in Open XDMoD versions prior to 10.0.3. It allows an unauthenticated remote attacker to execute arbitrary SQL statements on the underlying database. This happens because user-supplied input was not properly sanitized before being included in SQL queries, enabling malicious input to manipulate the database commands.
The vulnerability requires no authentication or user interaction to exploit, making it particularly dangerous. It was fixed by adding proper database quoting to user inputs in the affected code methods, preventing malicious SQL injection.
How can this vulnerability impact me? :
Exploitation of this vulnerability can lead to complete compromise of the underlying database used by Open XDMoD. An attacker could execute arbitrary SQL commands remotely without any authentication, potentially leading to data theft, data manipulation, or destruction.
Because the attacker can run any SQL statement, this could result in loss of confidentiality, integrity, and availability of the data stored in the database.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
The provided context and resources do not include specific detection methods or commands to identify exploitation or presence of this SQL injection vulnerability on your network or system.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, the primary recommended step is to upgrade Open XDMoD to version 10.0.3 or later, where the issue has been patched.
If immediate upgrade is not possible, apply the manual patch provided for affected versions prior to 10.0.3. This patch modifies the relevant PHP files to properly quote user inputs and prevent SQL injection.
- Upgrade Open XDMoD to version 10.0.3 or later.
- Apply the manual patch for your version from the official security patches.