CVE-2026-27760

8.1 HIGH
Published: April 28, 2026 Modified: April 28, 2026
View on NVD

Description

OpenCATS prior to commit 3002a29 contains a PHP code injection vulnerability in the installer AJAX endpoint that allows unauthenticated attackers to execute arbitrary code by injecting PHP statements into the databaseConnectivity action parameter. Attackers can break out of the define() string context in config.php using a single quote and statement separator to inject malicious PHP code that persists and executes on every subsequent page load when the installation wizard remains incomplete.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0
Vector String
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory
https://chocapikk.com/posts/2026/opencats-installer-rce/
Source: disclosure@vulncheck.com
https://github.com/opencats/OpenCATS/blob/46e4727/lib/CATSUtility.php#L142-L172
Source: disclosure@vulncheck.com
https://github.com/opencats/OpenCATS/blob/46e4727/modules/install/ajax/ui.php#L130
Source: disclosure@vulncheck.com
https://github.com/opencats/OpenCATS/commit/3002a29f4c3cada1aa2c4f3d4ae4e189906606b6
Source: disclosure@vulncheck.com
https://github.com/opencats/OpenCATS/pull/706
Source: disclosure@vulncheck.com
https://www.vulncheck.com/advisories/opencats-php-code-injection-via-installer-ajax-endpoint
Source: disclosure@vulncheck.com

6 reference(s) from NVD

Quick Stats

CVSS v3 Score
8.1 / 10.0
EPSS (Exploit Probability)
0.1%
27th percentile
Exploitation Status
Not in CISA KEV

Weaknesses (CWE)

CWE-94

Related CVEs

CVE-2026-43964 3.7
CVE-2026-42237 N/A
CVE-2026-42236 N/A
CVE-2026-42235 N/A
CVE-2026-42234 N/A