PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-45777 ubccr CVE debrief

CVE-2026-45777 is a critical vulnerability in Open XDMoD, a framework for collecting and analyzing HPC metrics. The issue, with a CVSS score of 9.3, allows an attacker to remotely execute arbitrary system commands on the web server hosting Open XDMoD with the privileges of the web server process. This could enable an attacker to read or modify application data, alter system configuration, or disrupt service availability. The vulnerability affects all deployments of Open XDMoD versions 9.5.0 through 11.0.2 (inclusive).

Vendor
ubccr
Product
xdmod
CVSS
CRITICAL 9.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-05
Original CVE updated
2026-06-10
Advisory published
2026-06-05
Advisory updated
2026-06-10

Who should care

Administrators and users of Open XDMoD versions 9.5.0 through 11.0.2 should be aware of this vulnerability and take necessary actions to mitigate it.

Technical summary

The vulnerability was privately reported on 2026-04-06 and patched in Open XDMoD 11.0.3 on 2026-05-12. The issue is associated with CWE-78 and has a CVSS vector of CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.

Defensive priority

High

Recommended defensive actions

  • Upgrade to Open XDMoD version 11.0.3 or later.
  • Apply the patch manually as a workaround: [ref-6](https://open.xdmod.org/security_patches/GHSA-29qm-7w4v-43fw-9_5_0-11_0_2.patch).

Evidence notes

The vulnerability was reported privately on 2026-04-06 and patched in Open XDMoD 11.0.3 on 2026-05-12. There is no evidence that this vulnerability has been exploited in the wild.

Official resources

CVE-2026-45777 was published on 2026-06-05T20:17:32.687Z and modified on 2026-06-10T21:06:27.410Z.