Which versions of OpenCATS are affected by EUVD-2026-33501?

OpenCATS versions through 0.9.7.4 contain a SQL injection vulnerability in the ajax/getDataGridPager.php sortDirection parameter that allows authenticated low-privilege users to extract arbitrary…

Is there a public PoC exploit available for EUVD-2026-33501?

Yes, a public proof-of-concept exploit is available for EUVD-2026-33501. Prioritise patching immediately. EPSS: 0.0%.

OpenCATS EUVD-2026-33501

Q: What is the CVSS score of EUVD-2026-33501?

EUVD-2026-33501 has a CVSS 4.0 base score of 8.4 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:H/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

| CVE-2026-49489 HIGH

SQL Injection (CWE-89)

2026-05-31 VulnCheck

GHSA-5cpr-5mvp-9f62

PHP Information Disclosure SQLi

8.4

CVSS 4.0

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:H/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Analysis Updated

May 31, 2026 - 13:30 vuln.today

v3 (cvss_changed)

Analysis Updated

May 31, 2026 - 13:30 vuln.today

v2 (cvss_changed)

Re-analysis Queued

May 31, 2026 - 13:22 vuln.today

cvss_changed

CVSS changed

May 31, 2026 - 13:22 NVD

8.5 (HIGH) 8.4 (HIGH)

Analysis Generated

May 31, 2026 - 13:00 vuln.today

DescriptionNVD

OpenCATS through 0.9.7.4 contains a sql injection vulnerability in the sortDirection parameter of the DataGrid component that allows authenticated users to extract database contents. Attackers can inject malicious SQL via the sortDirection parameter in ajax/getDataGridPager.php to perform time-based blind injection attacks and read sensitive data.

AnalysisAI

SQL injection in OpenCATS through 0.9.7.4 allows authenticated users to extract arbitrary database contents by injecting malicious SQL into the sortDirection parameter of ajax/getDataGridPager.php. Publicly available exploit code exists (Exploit-DB 52579, Packet Storm), and the issue was disclosed via a GitHub Security Advisory coordinated with VulnCheck. …

RemediationAI

24 hours: Inventory all OpenCATS deployments and identify installations running version 0.9.7.4 or earlier; restrict creation of new low-privilege user accounts; enable database transaction and query logging. 7 days: Deploy Web Application Firewall rules to detect and block SQL injection attempts targeting ajax/getDataGridPager.php sortDirection parameter; review database access logs for unauthorized queries; assess what sensitive data is stored in OpenCATS databases. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

EUVD-2026-33501 vulnerability details – vuln.today

Back

OpenCATS EUVD-2026-33501

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Analysis

Full analysis requires sign-in

Share

OpenCATS EUVD-2026-33501

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code