Home / Vulnerability Intelligence / CVE-2026-28228

CVE-2026-28228 - Vulnerability Analysis

HighCVSS: 8.8

Last Updated: March 30, 2026

OpenOlat - Command Injection

Published: March 30, 2026Updated: March 30, 2026Remote Exploitable

Overview

OpenOlat < 19.1.31, 20.1.18, 20.2.5 contains a command injection caused by injection of Velocity directives in reminder email templates, letting authenticated Author users execute OS commands with Tomcat process privileges, exploit requires Author role.

Severity & Score

Severity: High

CVSS Score: 8.8

Impact

Authenticated Author users can execute arbitrary OS commands with Tomcat process privileges, potentially leading to full system compromise.

Mitigation

Update to versions 19.1.31, 20.1.18, or 20.2.5 or later.

References

https://github.com/OpenOLAT/OpenOLAT/security/advisories/GHSA-55qg-vvgj-ffh4

Related Resources

Details

CVE ID: CVE-2026-28228
Severity: High
CVSS Score: 8.8
Type: command_injection
Status: new

CWE

CWE-1336

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H