QwikSec

Security Database

CVE

CWE

Training

CVE-2026-49489

Published: May 31, 2026

Modified: Jun 1, 2026

PUBLISHED

CVSS v3.1

8.5

HIGH

Description

OpenCATS through 0.9.7.4 contains a sql injection vulnerability in the sortDirection parameter of the DataGrid component that allows authenticated users to extract database contents. Attackers can inject malicious SQL via the sortDirection parameter in ajax/getDataGridPager.php to perform time-based blind injection attacks and read sensitive data.

Vendor	Product	Versions
OpenCATS	OpenCATS	affected `0 - <= 0.9.7.4`

Weaknesses (CWE)

CVSS v3.1 Details

CVSS v3.1 Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Changed

Confidentiality

High

Integrity

None

Availability

Low

References

GHSA Advisory GHSA-8mc8-5gw6-c7w4

vendor-advisory

Packet Storm Advisory

exploit

Exploit DB Advisory

exploit

VulnCheck Advisory: OpenCATS - SQL Injection in DataGrid sortDirection Parameter

third-party-advisory

Security Training

Train your team to recognize and prevent security threats with our comprehensive security awareness program.

Vulnerability Scanning

Discover vulnerabilities in your applications and infrastructure before attackers do.