Description
OpenCATS prior to commit 3002a29 contains a PHP code injection vulnerability in the installer AJAX endpoint that allows unauthenticated attackers to execute arbitrary code by injecting PHP statements into the databaseConnectivity action parameter. Attackers can break out of the define() string context in config.php using a single quote and statement separator to inject malicious PHP code that persists and executes on every subsequent page load when the installation wizard remains incomplete.
Published: 2026-04-28
Score: 9.2 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

The exposed installer AJAX endpoint allows an unauthenticated attacker to inject PHP code via the databaseConnectivity action parameter. By inserting a single quote and statement separator, the attacker can break out of the define() string context in config.php and embed malicious PHP that is written to the files used by the application. Once injected, the code persists and executes on every page load while the installation wizard remains incomplete, giving the attacker full control to run arbitrary commands, exfiltrate data, and establish back‑doors.

Affected Systems

All installations of OpenCATS running a code base prior to the commit that introduced the fix (commit 3002a29f4c3cada1aa2c4f3d4ae4e189906606b6) are affected. No specific version numbers are listed, so any deployment of OpenCATS before this update carries the vulnerability.

Risk and Exploitability

The CVSS score of 9.2 classifies this as a Severe vulnerability. The EPSS score is not available, but the lack of a KEV listing does not reduce the risk of exploitation. Attackers need only HTTP access to the site; no authentication is required to reach the AJAX endpoint. By supplying a crafted payload in the databaseConnectivity action, they can inject PHP that survives consecutive requests until the installer wizard is completed, thereby achieving remote code execution.

Generated by OpenCVE AI on April 28, 2026 at 19:15 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest OpenCATS release that includes commit 3002a29f4c3cada1aa2c4f3d4ae4e189906606b6.
  • Complete the installation wizard immediately after installing or updating the software to prevent any residual PHP code execution.
  • Configure the web server or application firewall to restrict or deny access to the installer AJAX endpoint once the site is fully configured—ideally removing the endpoint altogether if it is no longer needed.

Generated by OpenCVE AI on April 28, 2026 at 19:15 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 28 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Opencats
Opencats opencats
Vendors & Products Opencats
Opencats opencats

Tue, 28 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Description OpenCATS prior to commit 3002a29 contains a PHP code injection vulnerability in the installer AJAX endpoint that allows unauthenticated attackers to execute arbitrary code by injecting PHP statements into the databaseConnectivity action parameter. Attackers can break out of the define() string context in config.php using a single quote and statement separator to inject malicious PHP code that persists and executes on every subsequent page load when the installation wizard remains incomplete.
Title OpenCATS PHP Code Injection via installer AJAX endpoint
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Opencats Opencats
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-28T15:45:23.262Z

Reserved: 2026-02-23T21:38:48.842Z

Link: CVE-2026-27760

cve-icon Vulnrichment

Updated: 2026-04-28T14:56:14.168Z

cve-icon NVD

Status : Deferred

Published: 2026-04-28T15:16:26.800

Modified: 2026-04-28T20:18:13.020

Link: CVE-2026-27760

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T19:30:27Z

Weaknesses