Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
OpenCATS from version 0.9.1a contains an SQL injection vulnerability in DataGrid filter handling that allows authenticated attackers to inject SQL through crafted filters targeting the non-filterable Tags column in the Candidates DataGrid. Attackers can bypass column filterable restrictions by manipulating filter requests to execute arbitrary SQL queries against the database.
AnalysisAI
SQL injection in OpenCATS 0.9.1a and later allows authenticated attackers to execute arbitrary SQL queries against the backend database by abusing DataGrid filter handling on the Candidates module's Tags column. The flaw bypasses the application's column filterable restrictions, enabling data theft or modification of the recruitment platform's stored candidate records. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.
Technical ContextAI
OpenCATS is an open-source candidate Applicant Tracking System (ATS) written in PHP, identified by CPE cpe:2.3:a:opencats:opencats. The root cause is CWE-89 (Improper Neutralization of Special Elements used in an SQL Command), specifically within the DataGrid filtering component used to render and query candidate listings. The Tags column is marked non-filterable in the UI, but the server-side handler fails to enforce that restriction and concatenates attacker-controlled filter parameters into a SQL query, so a crafted filter request targeting Tags reaches the database with unsanitized input.
RemediationAI
Upstream fix available per the GitHub Security Advisory (GHSA-gmpc-j6h7-vw74); a released patched version is not independently confirmed in the provided data, so administrators should consult the advisory at https://github.com/opencats/OpenCATS/security/advisories/GHSA-gmpc-j6h7-vw74 and apply the latest available OpenCATS release or commit referenced there. As compensating controls while patching, restrict access to the OpenCATS Candidates DataGrid endpoints to trusted networks via reverse proxy or VPN, enforce least-privilege role assignments so fewer accounts can reach the Candidates view, and place a WAF rule in front of the application that blocks SQL metacharacters in DataGrid filter parameters targeting the Tags column - noting the WAF rule may break legitimate searches containing quotes or semicolons. Also rotate database credentials and review query logs for evidence of prior filter-based SQLi against the Tags column.
OpenCATS v0.9.6 was discovered to contain a remote code execution (RCE) vulnerability via the getDataGridPager's ajax fu
OpenCATS through 0.9.6 allows remote attackers to execute arbitrary code by uploading an executable file via lib/FileUti
OpenCATS through 0.9.5-3 unsafely deserializes index.php?m=activity requests, leading to remote code execution. Rated cr
Remote code execution in OpenCATS installer allows unauthenticated attackers to inject and execute arbitrary PHP code by
lib/DocumentToText.php in OpenCats before 0.9.4-3 has XXE that allows remote users to read files on the underlying opera
OpenCATS v0.9.6 was discovered to contain a SQL injection vulnerability via the importID parameter in the Import viewerr
OpenCATS v0.9.6 was discovered to contain a SQL injection vulnerability via the tag_id variable in the Tag deletion func
OpenCATS v0.9.6 was discovered to contain a SQL injection vulnerability via the entriesPerPage variable. Rated medium se
OpenCATS v0.9.6 was discovered to contain a SQL injection vulnerability via the tag_id variable in the Tag update functi
Improper neutralization of input during web page generation allows an unauthenticated attacker to submit malicious Javas
OpenCATS v0.9.6 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the email parameter i
OpenCATS v0.9.6 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the indexFile compone
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33502
GHSA-6wcv-mwf3-2vmh