Skip to main content

OpenCATS CVE-2026-49490

| EUVDEUVD-2026-33502 HIGH
SQL Injection (CWE-89)
2026-05-31 VulnCheck GHSA-6wcv-mwf3-2vmh
8.6
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.6 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

5
Analysis Updated
May 31, 2026 - 13:29 vuln.today
v3 (cvss_changed)
Analysis Updated
May 31, 2026 - 13:29 vuln.today
v2 (cvss_changed)
Re-analysis Queued
May 31, 2026 - 13:22 vuln.today
cvss_changed
CVSS changed
May 31, 2026 - 13:22 NVD
8.1 (HIGH) 8.6 (HIGH)
Analysis Generated
May 31, 2026 - 13:00 vuln.today

DescriptionCVE.org

OpenCATS from version 0.9.1a contains an SQL injection vulnerability in DataGrid filter handling that allows authenticated attackers to inject SQL through crafted filters targeting the non-filterable Tags column in the Candidates DataGrid. Attackers can bypass column filterable restrictions by manipulating filter requests to execute arbitrary SQL queries against the database.

AnalysisAI

SQL injection in OpenCATS 0.9.1a and later allows authenticated attackers to execute arbitrary SQL queries against the backend database by abusing DataGrid filter handling on the Candidates module's Tags column. The flaw bypasses the application's column filterable restrictions, enabling data theft or modification of the recruitment platform's stored candidate records. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Technical ContextAI

OpenCATS is an open-source candidate Applicant Tracking System (ATS) written in PHP, identified by CPE cpe:2.3:a:opencats:opencats. The root cause is CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), specifically within the DataGrid filtering component used to render and query candidate listings. The Tags column is marked non-filterable in the UI, but the server-side handler fails to enforce that restriction and concatenates attacker-controlled filter parameters into a SQL query, so a crafted filter request targeting Tags reaches the database with unsanitized input.

RemediationAI

Upstream fix available per the GitHub Security Advisory (GHSA-gmpc-j6h7-vw74); a released patched version is not independently confirmed in the provided data, so administrators should consult the advisory at https://github.com/opencats/OpenCATS/security/advisories/GHSA-gmpc-j6h7-vw74 and apply the latest available OpenCATS release or commit referenced there. As compensating controls while patching, restrict access to the OpenCATS Candidates DataGrid endpoints to trusted networks via reverse proxy or VPN, enforce least-privilege role assignments so fewer accounts can reach the Candidates view, and place a WAF rule in front of the application that blocks SQL metacharacters in DataGrid filter parameters targeting the Tags column - noting the WAF rule may break legitimate searches containing quotes or semicolons. Also rotate database credentials and review query logs for evidence of prior filter-based SQLi against the Tags column.

CVE-2022-43019 CRITICAL POC
9.8 Oct 19

OpenCATS v0.9.6 was discovered to contain a remote code execution (RCE) vulnerability via the getDataGridPager's ajax fu

CVE-2021-41560 CRITICAL POC
9.8 Dec 15

OpenCATS through 0.9.6 allows remote attackers to execute arbitrary code by uploading an executable file via lib/FileUti

CVE-2021-25294 CRITICAL POC
9.8 Jan 18

OpenCATS through 0.9.5-3 unsafely deserializes index.php?m=activity requests, leading to remote code execution. Rated cr

CVE-2026-27760 CRITICAL POC
9.2 Apr 28

Remote code execution in OpenCATS installer allows unauthenticated attackers to inject and execute arbitrary PHP code by

CVE-2019-13358 HIGH POC
7.5 Jul 05

lib/DocumentToText.php in OpenCats before 0.9.4-3 has XXE that allows remote users to read files on the underlying opera

CVE-2022-43023 MEDIUM POC
6.5 Oct 19

OpenCATS v0.9.6 was discovered to contain a SQL injection vulnerability via the importID parameter in the Import viewerr

CVE-2022-43022 MEDIUM POC
6.5 Oct 19

OpenCATS v0.9.6 was discovered to contain a SQL injection vulnerability via the tag_id variable in the Tag deletion func

CVE-2022-43021 MEDIUM POC
6.5 Oct 19

OpenCATS v0.9.6 was discovered to contain a SQL injection vulnerability via the entriesPerPage variable. Rated medium se

CVE-2022-43020 MEDIUM POC
6.5 Oct 19

OpenCATS v0.9.6 was discovered to contain a SQL injection vulnerability via the tag_id variable in the Tag update functi

CVE-2023-27293 MEDIUM POC
6.1 Feb 28

Improper neutralization of input during web page generation allows an unauthenticated attacker to submit malicious Javas

CVE-2022-43018 MEDIUM POC
6.1 Oct 19

OpenCATS v0.9.6 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the email parameter i

CVE-2022-43017 MEDIUM POC
6.1 Oct 19

OpenCATS v0.9.6 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the indexFile compone

Share

CVE-2026-49490 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy