CVE-2026-26002

Open OnDemand is an open-source high-performance computing portal. The Files application in OnDemand versions prior to 4.0.9 and 4.1.3 is susceptible to malicious input when navigating to a directory. This has been patched in versions 4.0.9 and 4.1.3. Versions below this remain susceptible.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/OSC/ondemand/commit/23cb167222886fdd8415277ca5c1215f4c32629c	Patch
https://github.com/OSC/ondemand/commit/37f0ae4efb222e9c0af250feae860a720427df16	Patch
https://github.com/OSC/ondemand/security/advisories/GHSA-f83q-mhrr-3cr2	Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:osc:open_ondemand::::::::
	cpe:2.3:a:osc:open_ondemand::::::::
	cpe:2.3:a:osc:open_ondemand::::::::

History

18 Mar 2026, 16:09

Type	Values Removed	Values Added
CPE		cpe:2.3:a:osc:open_ondemand::::::::
Summary		(es) Open OnDemand es un portal de computación de alto rendimiento de código abierto. La aplicación Archivos en las versiones de OnDemand anteriores a la 4.0.9 y 4.1.3 es susceptible a entrada maliciosa al navegar a un directorio. Esto ha sido parcheado en las versiones 4.0.9 y 4.1.3. Las versiones anteriores a esta permanecen susceptibles.
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8
First Time		Osc Osc open Ondemand
References	~~() https://github.com/OSC/ondemand/commit/23cb167222886fdd8415277ca5c1215f4c32629c -~~	() https://github.com/OSC/ondemand/commit/23cb167222886fdd8415277ca5c1215f4c32629c - Patch
References	~~() https://github.com/OSC/ondemand/commit/37f0ae4efb222e9c0af250feae860a720427df16 -~~	() https://github.com/OSC/ondemand/commit/37f0ae4efb222e9c0af250feae860a720427df16 - Patch
References	~~() https://github.com/OSC/ondemand/security/advisories/GHSA-f83q-mhrr-3cr2 -~~	() https://github.com/OSC/ondemand/security/advisories/GHSA-f83q-mhrr-3cr2 - Vendor Advisory

04 Mar 2026, 23:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-04 23:16

Updated : 2026-03-18 16:09

NVD link : CVE-2026-26002

Mitre link : CVE-2026-26002

CVE.ORG link : CVE-2026-26002

JSON object : View

Products Affected

osc

open_ondemand

CWE

CWE-74

Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

9.8 /10