Skip to main content

Opencats

23 CVEs product

Monthly

CVE-2026-49490 HIGH This Week

SQL injection in OpenCATS 0.9.1a and later allows authenticated attackers to execute arbitrary SQL queries against the backend database by abusing DataGrid filter handling on the Candidates module's Tags column. The flaw bypasses the application's column filterable restrictions, enabling data theft or modification of the recruitment platform's stored candidate records. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

SQLi Opencats
NVD GitHub VulDB
CVSS 4.0
8.6
EPSS
0.0%
CVE-2026-27760 CRITICAL POC PATCH Act Now

Remote code execution in OpenCATS installer allows unauthenticated attackers to inject and execute arbitrary PHP code by manipulating the AJAX endpoint's databaseConnectivity action parameter. The injected code persists in config.php and executes on every page load while the installation wizard remains incomplete. Publicly available exploit code demonstrates breakout from define() string context using quote and statement separator techniques. Patch available via GitHub commit 3002a29, though CVSS AC:H (high complexity) suggests exploitation requires specific timing or environmental conditions during installation phase.

PHP Code Injection RCE Opencats
NVD GitHub VulDB
CVSS 4.0
9.2
EPSS
0.1%
CVE-2023-26847 MEDIUM This Month

A stored cross-site scripting (XSS) vulnerability in OpenCATS v0.9.7 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the state parameter at. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP XSS Opencats
NVD GitHub
CVSS 3.1
5.4
EPSS
0.4%
CVE-2023-26846 MEDIUM This Month

A stored cross-site scripting (XSS) vulnerability in OpenCATS v0.9.7 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the city parameter at. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP XSS Opencats
NVD GitHub
CVSS 3.1
5.4
EPSS
0.4%
CVE-2023-26845 MEDIUM This Month

A Cross-Site Request Forgery (CSRF) in OpenCATS 0.9.7 allows attackers to force users into submitting web requests via unspecified vectors. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Opencats
NVD GitHub
CVSS 3.1
4.3
EPSS
0.2%
CVE-2023-27295 MEDIUM POC This Month

Cross-site request forgery is facilitated by OpenCATS failure to require CSRF tokens in POST requests. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF Opencats
NVD
CVSS 3.1
5.4
EPSS
0.4%
CVE-2023-27294 MEDIUM POC This Month

Improper neutralization of input during web page generation allows an authenticated attacker with access to a restricted account to submit malicious Javascript as the description for a calendar. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Opencats
NVD
CVSS 3.1
5.4
EPSS
0.5%
CVE-2023-27293 MEDIUM POC This Month

Improper neutralization of input during web page generation allows an unauthenticated attacker to submit malicious Javascript as the answer to a questionnaire which would then be executed when an. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Opencats
NVD
CVSS 3.1
6.1
EPSS
0.6%
CVE-2023-27292 MEDIUM POC This Month

An open redirect vulnerability exposes OpenCATS to template injection due to improper validation of user-supplied GET parameters. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Open Redirect Opencats
NVD
CVSS 3.1
5.4
EPSS
1.0%
CVE-2022-43023 MEDIUM POC This Month

OpenCATS v0.9.6 was discovered to contain a SQL injection vulnerability via the importID parameter in the Import viewerrors function. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Opencats
NVD GitHub
CVSS 3.1
6.5
EPSS
0.8%
CVE-2022-43022 MEDIUM POC This Month

OpenCATS v0.9.6 was discovered to contain a SQL injection vulnerability via the tag_id variable in the Tag deletion function. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Opencats
NVD GitHub
CVSS 3.1
6.5
EPSS
0.8%
CVE-2022-43021 MEDIUM POC This Month

OpenCATS v0.9.6 was discovered to contain a SQL injection vulnerability via the entriesPerPage variable. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Opencats
NVD GitHub
CVSS 3.1
6.5
EPSS
0.8%
CVE-2022-43020 MEDIUM POC This Month

OpenCATS v0.9.6 was discovered to contain a SQL injection vulnerability via the tag_id variable in the Tag update function. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Opencats
NVD GitHub
CVSS 3.1
6.5
EPSS
0.8%
CVE-2022-43019 CRITICAL POC Act Now

OpenCATS v0.9.6 was discovered to contain a remote code execution (RCE) vulnerability via the getDataGridPager's ajax functionality. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Deserialization Opencats
NVD GitHub
CVSS 3.1
9.8
EPSS
1.8%
CVE-2022-43018 MEDIUM POC This Month

OpenCATS v0.9.6 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the email parameter in the Check Email function. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Opencats
NVD GitHub
CVSS 3.1
6.1
EPSS
1.3%
CVE-2022-43017 MEDIUM POC This Month

OpenCATS v0.9.6 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the indexFile component. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Opencats
NVD GitHub
CVSS 3.1
6.1
EPSS
1.3%
CVE-2022-43016 MEDIUM POC This Month

OpenCATS v0.9.6 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the callback component. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Opencats
NVD GitHub
CVSS 3.1
6.1
EPSS
1.3%
CVE-2022-43015 MEDIUM POC This Month

OpenCATS v0.9.6 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the entriesPerPage parameter. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Opencats
NVD GitHub
CVSS 3.1
6.1
EPSS
1.3%
CVE-2022-43014 MEDIUM POC This Month

OpenCATS v0.9.6 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the joborderID parameter. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Opencats
NVD GitHub
CVSS 3.1
6.1
EPSS
1.3%
CVE-2021-41560 CRITICAL POC PATCH THREAT Act Now

OpenCATS through 0.9.6 allows remote attackers to execute arbitrary code by uploading an executable file via lib/FileUtility.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE PHP File Upload Opencats
NVD GitHub
CVSS 3.1
9.8
EPSS
11.1%
CVE-2021-25295 MEDIUM POC This Month

OpenCATS through 0.9.5-3 has multiple Cross-site Scripting (XSS) issues. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Opencats
NVD GitHub
CVSS 3.1
6.1
EPSS
1.5%
CVE-2021-25294 CRITICAL POC PATCH THREAT Act Now

OpenCATS through 0.9.5-3 unsafely deserializes index.php?m=activity requests, leading to remote code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Deserialization RCE PHP Opencats
NVD GitHub
CVSS 3.1
9.8
EPSS
10.7%
CVE-2019-13358 HIGH POC THREAT This Week

lib/DocumentToText.php in OpenCats before 0.9.4-3 has XXE that allows remote users to read files on the underlying operating system. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XXE PHP Opencats
NVD GitHub Exploit-DB
CVSS 3.1
7.5
EPSS
23.8%
EPSS 0% CVSS 8.6
HIGH This Week

SQL injection in OpenCATS 0.9.1a and later allows authenticated attackers to execute arbitrary SQL queries against the backend database by abusing DataGrid filter handling on the Candidates module's Tags column. The flaw bypasses the application's column filterable restrictions, enabling data theft or modification of the recruitment platform's stored candidate records. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

SQLi Opencats
NVD GitHub VulDB
EPSS 0% CVSS 9.2
CRITICAL POC PATCH Act Now

Remote code execution in OpenCATS installer allows unauthenticated attackers to inject and execute arbitrary PHP code by manipulating the AJAX endpoint's databaseConnectivity action parameter. The injected code persists in config.php and executes on every page load while the installation wizard remains incomplete. Publicly available exploit code demonstrates breakout from define() string context using quote and statement separator techniques. Patch available via GitHub commit 3002a29, though CVSS AC:H (high complexity) suggests exploitation requires specific timing or environmental conditions during installation phase.

PHP Code Injection RCE +1
NVD GitHub VulDB
EPSS 0% CVSS 5.4
MEDIUM This Month

A stored cross-site scripting (XSS) vulnerability in OpenCATS v0.9.7 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the state parameter at. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP XSS Opencats
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM This Month

A stored cross-site scripting (XSS) vulnerability in OpenCATS v0.9.7 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the city parameter at. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

PHP XSS Opencats
NVD GitHub
EPSS 0% CVSS 4.3
MEDIUM This Month

A Cross-Site Request Forgery (CSRF) in OpenCATS 0.9.7 allows attackers to force users into submitting web requests via unspecified vectors. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

CSRF Opencats
NVD GitHub
EPSS 0% CVSS 5.4
MEDIUM POC This Month

Cross-site request forgery is facilitated by OpenCATS failure to require CSRF tokens in POST requests. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

CSRF Opencats
NVD
EPSS 1% CVSS 5.4
MEDIUM POC This Month

Improper neutralization of input during web page generation allows an authenticated attacker with access to a restricted account to submit malicious Javascript as the description for a calendar. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Opencats
NVD
EPSS 1% CVSS 6.1
MEDIUM POC This Month

Improper neutralization of input during web page generation allows an unauthenticated attacker to submit malicious Javascript as the answer to a questionnaire which would then be executed when an. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Opencats
NVD
EPSS 1% CVSS 5.4
MEDIUM POC This Month

An open redirect vulnerability exposes OpenCATS to template injection due to improper validation of user-supplied GET parameters. Rated medium severity (CVSS 5.4), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

Open Redirect Opencats
NVD
EPSS 1% CVSS 6.5
MEDIUM POC This Month

OpenCATS v0.9.6 was discovered to contain a SQL injection vulnerability via the importID parameter in the Import viewerrors function. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Opencats
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM POC This Month

OpenCATS v0.9.6 was discovered to contain a SQL injection vulnerability via the tag_id variable in the Tag deletion function. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Opencats
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM POC This Month

OpenCATS v0.9.6 was discovered to contain a SQL injection vulnerability via the entriesPerPage variable. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Opencats
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM POC This Month

OpenCATS v0.9.6 was discovered to contain a SQL injection vulnerability via the tag_id variable in the Tag update function. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

SQLi Opencats
NVD GitHub
EPSS 2% CVSS 9.8
CRITICAL POC Act Now

OpenCATS v0.9.6 was discovered to contain a remote code execution (RCE) vulnerability via the getDataGridPager's ajax functionality. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

RCE Deserialization Opencats
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM POC This Month

OpenCATS v0.9.6 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the email parameter in the Check Email function. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Opencats
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM POC This Month

OpenCATS v0.9.6 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the indexFile component. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Opencats
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM POC This Month

OpenCATS v0.9.6 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the callback component. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Opencats
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM POC This Month

OpenCATS v0.9.6 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the entriesPerPage parameter. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Opencats
NVD GitHub
EPSS 1% CVSS 6.1
MEDIUM POC This Month

OpenCATS v0.9.6 was discovered to contain a reflected cross-site scripting (XSS) vulnerability via the joborderID parameter. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Opencats
NVD GitHub
EPSS 11% CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

OpenCATS through 0.9.6 allows remote attackers to execute arbitrary code by uploading an executable file via lib/FileUtility.php. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

RCE PHP File Upload +1
NVD GitHub
EPSS 2% CVSS 6.1
MEDIUM POC This Month

OpenCATS through 0.9.5-3 has multiple Cross-site Scripting (XSS) issues. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS Opencats
NVD GitHub
EPSS 11% CVSS 9.8
CRITICAL POC PATCH THREAT Act Now

OpenCATS through 0.9.5-3 unsafely deserializes index.php?m=activity requests, leading to remote code execution. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Deserialization RCE PHP +1
NVD GitHub
EPSS 24% CVSS 7.5
HIGH POC THREAT This Week

lib/DocumentToText.php in OpenCats before 0.9.4-3 has XXE that allows remote users to read files on the underlying operating system. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XXE PHP Opencats
NVD GitHub Exploit-DB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy