OpenCATS through 0.9.5-3 unsafely deserializes index.php?m=activity requests, leading to remote code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.
Deserialization
RCE
PHP
Opencats
NVD
GitHub
CVSS 3.1
9.8
EPSS
10.7%