cbcvebase.
CVE-2026-27760
published 2026-04-28

CVE-2026-27760: OpenCATS prior to commit 3002a29 contains a PHP code injection vulnerability in the installer AJAX endpoint that allows unauthenticated attackers to execute…

PriorityP185high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
22.19%
97.4th percentile
OpenCATS prior to commit 3002a29 contains a PHP code injection vulnerability in the installer AJAX endpoint that allows unauthenticated attackers to execute arbitrary code by injecting PHP statements into the databaseConnectivity action parameter. Attackers can break out of the define() string context in config.php using a single quote and statement separator to inject malicious PHP code that persists and executes on every subsequent page load when the installation wizard remains incomplete.

Affected

1 ranges
VendorProductVersion rangeFixed in
opencatsopencats<= 0.9.7.4

Detection & IOCsextracted from sources · hover to see the quote

url/ajax.php?f=install:ui&a=databaseConnectivity
path/ajax.php
commanduser=cats');echo+'{{randstr}}'.md5('{{randstr}}');//
sigma
title: OpenCATS CVE-2026-27760 Installer RCE
detection:
  selection:
    cs-uri-stem|contains: '/ajax.php'
    cs-uri-query|contains:
      - 'f=install:ui'
      - 'a=databaseConnectivity'
  condition: selection
  • Check for POST requests to /ajax.php?f=install:ui&a=databaseConnectivity containing single-quote injection patterns (e.g., ');) in the 'user' parameter, indicating an attempt to break out of the define() string context in config.php.
  • Injected PHP code persists in config.php and executes on every subsequent page load; monitor config.php for unexpected modifications or PHP statements outside of define() calls.
  • Unauthenticated access to the installer AJAX endpoint is the attack vector; alert on any unauthenticated POST to /ajax.php with query parameters f=install:ui and a=databaseConnectivity from external IPs.
  • ·The vulnerability is only exploitable when the OpenCATS installation wizard is incomplete/not finalized. Instances with a completed installation (installLocked present) are not vulnerable via this vector.
  • ·The Nuclei template uses a three-step flow: first confirming the installer is active, then injecting PHP, then verifying code execution via /index.php. All three steps must succeed for a confirmed positive; partial matches may indicate false positives.
  • ·Shodan and FOFA queries (title:"opencats") can be used to identify exposed OpenCATS instances for asset inventory, but do not confirm vulnerability without checking installer state.

CVSS provenance

nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.2CRITICALCVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck8.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.