CVE-2021-47936
published 2026-05-10CVE-2021-47936: OpenCATS 0.9.4 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary commands by uploading malicious PHP…
PriorityP268critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.66%
46.8th percentile
OpenCATS 0.9.4 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary commands by uploading malicious PHP files disguised as resume attachments. Attackers can upload PHP payloads through the careers job application endpoint and execute system commands via POST requests to the uploaded file in the upload directory.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| opencats | opencats | <= 0.9.4 | — |
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-6w77-cp2c-mfxq: OpenCATS 0
ghsa_unreviewed·2026-05-10
CVE-2021-47936 [CRITICAL] CWE-306 GHSA-6w77-cp2c-mfxq: OpenCATS 0
OpenCATS 0.9.4 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary commands by uploading malicious PHP files disguised as resume attachments. Attackers can upload PHP payloads through the careers job application endpoint and execute system commands via POST requests to the uploaded file in the upload directory.
VulDB
OpenCATS up to 0.9.4 Careers Job Application Endpoint missing authentication (Exploit 50585 / EDB-50585)
vuldb·2026-05-10·CVSS 9.3
CVE-2021-47936 [CRITICAL] OpenCATS up to 0.9.4 Careers Job Application Endpoint missing authentication (Exploit 50585 / EDB-50585)
A vulnerability has been found in OpenCATS up to 0.9.4 and classified as critical. This affects an unknown function of the component Careers Job Application Endpoint. This manipulation causes missing authentication.
This vulnerability is handled as CVE-2021-47936. The attack can be initiated remotely. Additionally, an exploit exists.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-10
Published