Command Injection Vulnerability in OCPP DataTransfer Message by OCPP Vendor
CVE-2026-22100

8.6HIGH

Key Information:

Vendor

Evbee

Status
Vendor
CVE Published:
13 July 2026

What is CVE-2026-22100?

The OCPP DataTransfer message 'ReserveLogin' is susceptible to a command injection flaw, which allows attackers to craft malicious data values. If exploited, this vulnerability enables the execution of arbitrary operating system commands with root privileges, potentially compromising the entire system. Organizations using OCPP DataTransfer should assess their implementations and consider applying necessary mitigations to safeguard against such attacks.

Affected Version(s)

DC-80 0 < 1.5.1

References

CVSS V4

Score:
8.6
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Wilco van Beijnum (ElaadNL)
Jeroen van der Ham-de Vos (DIVD)
.