Which versions of OpenCATS are affected by CVE-2026-49489?

OpenCATS versions through 0.9.7.4 contain a SQL injection vulnerability in the ajax/getDataGridPager.php sortDirection parameter that allows authenticated low-privilege users to extract arbitrary…

Is there a public PoC exploit available for CVE-2026-49489?

Yes, a public proof-of-concept exploit is available for CVE-2026-49489. Prioritise patching immediately. EPSS: 0.0%.

OpenCATS CVE-2026-49489

Q: What is the CVSS score of CVE-2026-49489?

CVE-2026-49489 has a CVSS 4.0 base score of 8.4 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:H/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-33501 HIGH

SQL Injection (CWE-89)

2026-05-31 VulnCheck

GHSA-5cpr-5mvp-9f62

PHP Information Disclosure SQLi

8.4

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:H/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Analysis Updated

May 31, 2026 - 13:30 vuln.today

v3 (cvss_changed)

Analysis Updated

May 31, 2026 - 13:30 vuln.today

v2 (cvss_changed)

Re-analysis Queued

May 31, 2026 - 13:22 vuln.today

cvss_changed

CVSS changed

May 31, 2026 - 13:22 NVD

8.5 (HIGH) 8.4 (HIGH)

Analysis Generated

May 31, 2026 - 13:00 vuln.today

DescriptionNVD

OpenCATS through 0.9.7.4 contains a sql injection vulnerability in the sortDirection parameter of the DataGrid component that allows authenticated users to extract database contents. Attackers can inject malicious SQL via the sortDirection parameter in ajax/getDataGridPager.php to perform time-based blind injection attacks and read sensitive data.

AnalysisAI

SQL injection in OpenCATS through 0.9.7.4 allows authenticated users to extract arbitrary database contents by injecting malicious SQL into the sortDirection parameter of ajax/getDataGridPager.php. Publicly available exploit code exists (Exploit-DB 52579, Packet Storm), and the issue was disclosed via a GitHub Security Advisory coordinated with VulnCheck. …

RemediationAI

24 hours: Inventory all OpenCATS deployments and identify installations running version 0.9.7.4 or earlier; restrict creation of new low-privilege user accounts; enable database transaction and query logging. 7 days: Deploy Web Application Firewall rules to detect and block SQL injection attempts targeting ajax/getDataGridPager.php sortDirection parameter; review database access logs for unauthorized queries; assess what sensitive data is stored in OpenCATS databases. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-49489 vulnerability details – vuln.today

Back

OpenCATS CVE-2026-49489

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

OpenCATS CVE-2026-49489

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code