CVE-2026-27760
OpenCATS prior to commit 3002a29 contains a PHP code injection vulnerability in the installer AJAX endpoint that allows unauthenticated atta
CVSS
8.1
High
EPSS
22.2%
p97
KEV
—
Exploit Today
29
0-100
Published: Apr 28, 2026 · Last modified: Jul 14, 2026 · CWE-94
22.2%EPSS · 30 days22.2%
2026-06-302026-07-16
OpenCATS prior to commit 3002a29 contains a PHP code injection vulnerability in the installer AJAX endpoint that allows unauthenticated attackers to execute arbitrary code by injecting PHP statements into the databaseConnectivity action parameter. Attackers can break out of the define() string context in config.php using a single quote and statement separator to inject malicious PHP code that persists and executes on every subsequent page load when the installation wizard remains incomplete.
- chocapikk.comhttps://chocapikk.com/posts/2026/opencats-installer-rce/
- github.comhttps://github.com/opencats/OpenCATS/blob/46e4727/lib/CATSUtility.php#L142-L172
- github.comhttps://github.com/opencats/OpenCATS/blob/46e4727/modules/install/ajax/ui.php#L130
- github.comhttps://github.com/opencats/OpenCATS/commit/3002a29f4c3cada1aa2c4f3d4ae4e189906606b6
- github.comhttps://github.com/opencats/OpenCATS/pull/706
- www.vulncheck.comhttps://www.vulncheck.com/advisories/opencats-php-code-injection-via-installer-ajax-endpoint
CVECVSSEPSSKEVRExploitTitleMod.
CVE-2025-32489.8 CRI100.0%
KEV—80Langflow Missing Authentication Vulnerability2dCVE-2026-341978.8 HIG99.9%
KEV—80Apache ActiveMQ Improper Input Validation Vulnerability2dCVE-2026-154107.2 HIG71.1%
KEV—71SonicWall SMA1000 Appliances Code Injection Vulnerability18hCVE-2025-670389.8 CRI55.3%
KEV—67Lantronix EDS5000 Code Injection Vulnerability10dCVE-2021-416539.8 CRI99.5%
——30The PING function on the TP-Link TL-WR840N EU v5 router with firmware through TL-WR840N(EU)_V5_171211 is vulnerable to remote code execution via a crafted payload in an IP address input field.8dCVE-2023-362558.8 HIG99.0%
——30An issue in Eramba Limited Eramba Enterprise and Community edition v.3.19.1 allows a remote attacker to execute arbitrary code via the path parameter in the URL.8d