Description
OpenCATS prior to commit 3002a29 contains a PHP code injection vulnerability in the installer AJAX endpoint that allows unauthenticated attackers to execute arbitrary code by injecting PHP statements into the databaseConnectivity action parameter. Attackers can break out of the define() string context in config.php using a single quote and statement separator to inject malicious PHP code that persists and executes on every subsequent page load when the installation wizard remains incomplete.
Published: 2026-04-28
Score: 9.2 Critical
EPSS: 22.2% Moderate
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a PHP code injection flaw (CWE-94) in the OpenCATS installer AJAX endpoint. An unauthenticated attacker can send a specially crafted payload in the databaseConnectivity the application to write malicious PHP code into its configuration files. Because the injected code is executed each time the installer wizard is not yet finished, the page loads.

Affected Systems

All installations of OpenCATS derived from the code base before commit 3002a29f4c3cada1aa2c4f3d4ae4e189906606b6 are impacted. No specific version numbers are listed, so any OpenCATS deployment prior to this update carries the vulnerability.

Risk and Exploitability

The CVSS score of 9.2 classifies the flaw the EPSS score of 22% indicates a moderate likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog, but attackers only need HTTP access to the un with required, to inject code that will run on every subsequent request until the installer wizard completes. It is inferred that the attacker can send a crafted HTTP POST request to the AJAX endpoint without authentication to perform the injection.

Generated by OpenCVE AI on June 24, 2026 at 12:32 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the OpenCATS software to a version that contains commit 3002a29f4c3cado1aa2c4f3d4ae4e189906606b6.
  • Immediately complete the OpenCATS installation wizard after applying the update to eliminate any incomplete configuration that could execute injected code.
  • Configure the web server or application firewall to block or remove access to the installer AJAX endpoint once the site is fully configured.

Generated by OpenCVE AI on June 24, 2026 at 12:32 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Jul 2026 19:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:opencats:opencats:*:*:*:*:*:*:*:*

Tue, 28 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 28 Apr 2026 16:15:00 +0000

Type Values Removed Values Added
First Time appeared Opencats
Opencats opencats
Vendors & Products Opencats
Opencats opencats

Tue, 28 Apr 2026 14:30:00 +0000

Type Values Removed Values Added
Description OpenCATS prior to commit 3002a29 contains a PHP code injection vulnerability in the installer AJAX endpoint that allows unauthenticated attackers to execute arbitrary code by injecting PHP statements into the databaseConnectivity action parameter. Attackers can break out of the define() string context in config.php using a single quote and statement separator to inject malicious PHP code that persists and executes on every subsequent page load when the installation wizard remains incomplete.
Title OpenCATS PHP Code Injection via installer AJAX endpoint
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.2, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}


Subscriptions

Opencats Opencats
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-07-14T18:39:39.723Z

Reserved: 2026-02-23T21:38:48.842Z

Link: CVE-2026-27760

cve-icon Vulnrichment

Updated: 2026-04-28T14:56:14.168Z

cve-icon NVD

Status : Deferred

Published: 2026-04-28T15:16:26.800

Modified: 2026-06-17T10:27:39.090

Link: CVE-2026-27760

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T12:45:04Z

Weaknesses
  • CWE-94

    Improper Control of Generation of Code ('Code Injection')