QwikSec

Security Database

CVE

CWE

Training

CVE-2026-27760

Published: Apr 28, 2026

Modified: May 11, 2026

PUBLISHED

CVSS v3.1

8.1

HIGH

Description

OpenCATS prior to commit 3002a29 contains a PHP code injection vulnerability in the installer AJAX endpoint that allows unauthenticated attackers to execute arbitrary code by injecting PHP statements into the databaseConnectivity action parameter. Attackers can break out of the define() string context in config.php using a single quote and statement separator to inject malicious PHP code that persists and executes on every subsequent page load when the installation wizard remains incomplete.

Vendor	Product	Versions
opencats	OpenCATS	affected `0 - <= 0.9.7.4` unaffected `3002a29f4c3cada1aa2c4f3d4ae4e189906606b6`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

References

https://chocapikk.com/posts/2026/opencats-installer-rce/

technical-description

exploit

https://github.com/opencats/OpenCATS/pull/706

issue-tracking

https://github.com/opencats/OpenCATS/commit/3002a29f4c3cada1aa2c4f3d4ae4e189906606b6

patch

https://github.com/opencats/OpenCATS/blob/46e4727/lib/CATSUtility.php#L142-L172

related

https://github.com/opencats/OpenCATS/blob/46e4727/modules/install/ajax/ui.php#L130

related

https://www.vulncheck.com/advisories/opencats-php-code-injection-via-installer-ajax-endpoint

third-party-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.