The hook
openDCIM is often deployed close to data-center inventory, racks, power, and network maps. CVE-2026-28517 sits in report generation: a Graphviz `dot` command path read from configuration can reach shell execution if the vulnerable source pattern is present.
Как работи
The repo check looks for `report_network_map.php` source where the openDCIM `dot` configuration value flows into PHP `exec()` without recognized shell escaping. The signal is intentionally narrow: file-specific, configuration-specific, and source-only.
The blast radius
If the affected file is deployed and an attacker can influence the `dot` configuration path under the conditions described by the advisory, command execution may affect the openDCIM host. A repo match should drive an upgrade or patch review before anyone treats it as confirmed production compromise.
// what fixvibe checks
What FixVibe checks
FixVibe repo scans look for high-confidence security patterns and dependency risk in source context. Reports identify the affected area and recommended fix. For check-specific questions about exact detection heuristics, active payload details, or source-code rule patterns, contact support@fixvibe.app.
Ironclad defenses
Upgrade openDCIM to a fixed release or apply the upstream patch. If maintaining a fork, validate the Graphviz executable path against a strict allowlist, avoid shell command strings where possible, escape any remaining shell boundary, and rerun the repo scan after patching.