Description
OpenCATS 0.9.4 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary commands by uploading malicious PHP files disguised as resume attachments. Attackers can upload PHP payloads through the careers job application endpoint and execute system commands via POST requests to the uploaded file in the upload directory.
Published: 2026-05-10
Score: 9.3 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in OpenCATS 0.9.4 permits an unauthenticated attacker to upload a PHP file disguised as a resume via the careers job application endpoint. When the uploaded file is later accessed through a POST request, arbitrary shell commands are executed on the server, providing full control of the system. The weakness is a missing authentication check (CWE‑306) that allows upload of executable PHP payloads.

Affected Systems

OpenCATS version 0.9.4 is the only version explicitly listed as vulnerable in the CNA data. No other versions or related products are specified, so the impact is limited to deployments that are running that exact version or an unpatched default installation.

Risk and Exploitability

The CVSS base score of 9.3 signals critical severity. EPSS is not available, so the relative exploitation likelihood cannot be quantified. The exploit-db reference demonstrates a publicly available exploitation method; based on the references, it is inferred that the flaw can be readily exploited by attackers. The vulnerability is not listed in the CISA KEV catalog, but the presence of an active public exploit indicates an elevated risk for systems hosting the affected application.

Generated by OpenCVE AI on May 10, 2026 at 15:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official vendor patch or upgrade to the latest OpenCATS release (e.g., 0.9.5 or later).
  • Configure the web server to block execution of uploaded PHP files, such as by adding an .htaccess rule that disables PHP in the upload directory.
  • Restrict the file upload functionality to allow only safe file types (e.g., PDF or plain text) and validate MIME types before storing them.

Generated by OpenCVE AI on May 10, 2026 at 15:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 10 May 2026 13:00:00 +0000

Type Values Removed Values Added
Description OpenCATS 0.9.4 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary commands by uploading malicious PHP files disguised as resume attachments. Attackers can upload PHP payloads through the careers job application endpoint and execute system commands via POST requests to the uploaded file in the upload directory.
Title OpenCATS 0.9.4 Remote Code Execution via Resume Upload
First Time appeared Opencats
Opencats opencats
Weaknesses CWE-306
CPEs cpe:2.3:a:opencats:opencats:*:*:*:*:*:*:*:*
Vendors & Products Opencats
Opencats opencats
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Opencats Opencats
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-10T12:43:54.993Z

Reserved: 2026-02-01T11:24:18.717Z

Link: CVE-2021-47936

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-10T13:16:29.830

Modified: 2026-05-10T13:16:29.830

Link: CVE-2021-47936

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-10T15:30:14Z

Weaknesses