The OCPP DataTransfer message `ReserveLogin` is vulnerable to command injection. By manipulating the data value, arbitrary OS commands can be executed as root.CreditsWilco van Beijnum (ElaadNL)Jeroen van der Ham-de Vos (DIVD)Referenceshttps://csirt.divd.nl/DIVD-2026-00001/