Description
OpenCATS from version 0.9.1a contains an SQL injection vulnerability in DataGrid filter handling that allows authenticated attackers to inject SQL through crafted filters targeting the non-filterable Tags column in the Candidates DataGrid. Attackers can bypass column filterable restrictions by manipulating filter requests to execute arbitrary SQL queries against the database.
Published: 2026-05-31
Score: 8.6 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

OpenCATS 0.9.1a contains a SQL injection flaw in the DataGrid filter handling for the non-filterable Tags column. Authenticated attackers can craft filter requests that bypass column filterable restrictions, allowing arbitrary SQL queries to run against the underlying database. This vulnerability can be used to read, modify, or delete data stored in the database, compromising confidentiality and integrity. The weakness is a classic example of CWE‑89.

Affected Systems

Vendor OpenCATS, product OpenCATS, version 0.9.1a. No other affected versions are listed in the available data.

Risk and Exploitability

The CVSS score of 8.6 marks this issue as high severity, and the EPSS score is not available. It is not listed in the CISA KEV catalog. The exploit requires an authenticated user to access the Candidates DataGrid; the attacker must send a specially crafted filter request that circumvent the column filter rules to execute malicious SQL statements.

Generated by OpenCVE AI on May 31, 2026 at 13:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check for and install the latest OpenCATS update that fixes the SQL injection in the DataGrid filter handling.
  • If no update is available, restrict access to the Candidates DataGrid to only trusted users and disable the Tags filter parameter on the UI or APIs that handle it.
  • Ensure that all filter inputs are validated against a whitelist and that any database queries use parameterized statements instead of string concatenation to prevent future injection attempts.

Generated by OpenCVE AI on May 31, 2026 at 13:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 31 May 2026 12:30:00 +0000

Type Values Removed Values Added
Description OpenCATS from version 0.9.1a contains an SQL injection vulnerability in DataGrid filter handling that allows authenticated attackers to inject SQL through crafted filters targeting the non-filterable Tags column in the Candidates DataGrid. Attackers can bypass column filterable restrictions by manipulating filter requests to execute arbitrary SQL queries against the database.
Title OpenCATS - SQL Injection in DataGrid Filter Handling for Tags Column
First Time appeared Opencats
Opencats opencats
Weaknesses CWE-89
CPEs cpe:2.3:a:opencats:opencats:*:*:*:*:*:*:*:*
Vendors & Products Opencats
Opencats opencats
References
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}

cvssV4_0

{'score': 8.6, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Opencats Opencats
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-31T12:07:55.331Z

Reserved: 2026-05-31T11:54:34.993Z

Link: CVE-2026-49490

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-31T13:16:49.243

Modified: 2026-05-31T13:16:49.243

Link: CVE-2026-49490

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-31T13:30:03Z

Weaknesses