Skip to main content

OpenCATS CVE-2026-27760

| EUVD-2026-26052 CRITICAL
Code Injection (CWE-94)
2026-04-28 VulnCheck
PHP Code Injection RCE
9.2
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
9.2 CRITICAL
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

9
PoC Detected
Apr 28, 2026 - 20:18 vuln.today
Public exploit code
Re-analysis Queued
Apr 28, 2026 - 15:22 vuln.today
cvss_changed
Severity Changed
Apr 28, 2026 - 15:22 NVD
HIGH CRITICAL
CVSS changed
Apr 28, 2026 - 15:22 NVD
8.1 (HIGH) 9.2 (CRITICAL)
Analysis Generated
Apr 28, 2026 - 15:00 vuln.today
EUVD ID Assigned
Apr 28, 2026 - 14:30 euvd
EUVD-2026-26052
Analysis Generated
Apr 28, 2026 - 14:30 vuln.today
Patch released
Apr 28, 2026 - 14:30 nvd
Patch available
CVE Published
Apr 28, 2026 - 13:43 nvd
CRITICAL 9.2

DescriptionCVE.org

OpenCATS prior to commit 3002a29 contains a PHP code injection vulnerability in the installer AJAX endpoint that allows unauthenticated attackers to execute arbitrary code by injecting PHP statements into the databaseConnectivity action parameter. Attackers can break out of the define() string context in config.php using a single quote and statement separator to inject malicious PHP code that persists and executes on every subsequent page load when the installation wizard remains incomplete.

AnalysisAI

Remote code execution in OpenCATS installer allows unauthenticated attackers to inject and execute arbitrary PHP code by manipulating the AJAX endpoint's databaseConnectivity action parameter. The injected code persists in config.php and executes on every page load while the installation wizard remains incomplete. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Scan for exposed installers
Delivery
Send crafted POST to AJAX endpoint
Exploit
Inject PHP via quote breakout
Install
Malicious code written to config.php
C2
Persistent execution on page loads
Execute
Remote code execution as web server user
Impact
Lateral movement or data exfiltration
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Installation wizard must remain incomplete and accessible - specifically, the /modules/install/ajax/ui.php endpoint must be reachable and the config.php file must be writable by the web server process. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is MODERATE-HIGH despite the 8.1 CVSS score due to conflicting attack complexity signals. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker discovers an internet-accessible OpenCATS instance with an incomplete installation by scanning for /modules/install/ paths. They craft a POST request to the installer's AJAX endpoint (/modules/install/ajax/ui.php) with a malicious databaseConnectivity action parameter containing a single quote to break out of the define() string context, followed by injected PHP code (e.g., web shell or reverse shell payload). …
Remediation Upgrade to OpenCATS commit 3002a29f4c3cada1aa2c4f3d4ae4e189906606b6 or later, available via GitHub pull request #706 (https://github.com/opencats/OpenCATS/pull/706). … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: identify all OpenCATS instances in your environment and verify installation status (prioritize any incomplete installations). …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-49952 CRITICAL POC
9.3 Jun 15

Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
CVE-2026-49954 HIGH POC
8.6 Jun 15

Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a

CVE-2026-49768 CRITICAL
9.8 Jun 15

Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
CVE-2026-27053 CRITICAL
9.8 Jun 15

Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
CVE-2026-49104 CRITICAL
9.8 Jun 15

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo

Share

CVE-2026-27760 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy