Home / Vulnerability Intelligence / CVE-2026-28228

CVE-2026-28228 - Vulnerability Analysis

HighCVSS: 8.8

Last Updated: April 1, 2026

OpenOlat - Command Injection

Published: March 30, 2026Updated: April 1, 2026Remote Exploitable

Overview

OpenOlat < 19.1.31, 20.1.18, 20.2.5 contains a command injection caused by injection of Velocity directives in reminder email templates, letting authenticated Author users execute OS commands with Tomcat process privileges, exploit requires Author role.

Severity & Score

Severity: High

CVSS Score: 8.8

EPSS Score: 4.7%(Probability of exploitation in next 30 days)

Impact

Authenticated Author users can execute arbitrary OS commands with Tomcat process privileges, potentially leading to full system compromise.

Mitigation

Update to versions 19.1.31, 20.1.18, or 20.2.5 or later.

References

https://github.com/OpenOLAT/OpenOLAT/security/advisories/GHSA-55qg-vvgj-ffh4

Social Media Activity(1 post)

greg

@greg

Mar 31, 2026

Our colleague @mal had another look at OpenOLAT and found a nice RCE (CVE-2026-28228 and CVE-2026-28228). If you're interested, details can be found on our blog https://secfault-security.com/blog/openolat-ssti.html

View original post

Related Resources

Details

CVE ID: CVE-2026-28228
Severity: High
CVSS Score: 8.8
Type: command_injection
Status: unconfirmed
EPSS: 4.7%
Social Posts: 1

CWE

CWE-1336

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score

4.7%Probability of exploitation in the next 30 days