CVE-2026-27760
published 2026-04-28CVE-2026-27760: OpenCATS prior to commit 3002a29 contains a PHP code injection vulnerability in the installer AJAX endpoint that allows unauthenticated attackers to execute…
PriorityP185high8.1CVSS 3.1
AVNACHPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
22.19%
97.4th percentile
OpenCATS prior to commit 3002a29 contains a PHP code injection vulnerability in the installer AJAX endpoint that allows unauthenticated attackers to execute arbitrary code by injecting PHP statements into the databaseConnectivity action parameter. Attackers can break out of the define() string context in config.php using a single quote and statement separator to inject malicious PHP code that persists and executes on every subsequent page load when the installation wizard remains incomplete.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| opencats | opencats | <= 0.9.7.4 | — |
Detection & IOCsextracted from sources · hover to see the quote
sigma
title: OpenCATS CVE-2026-27760 Installer RCE
detection:
selection:
cs-uri-stem|contains: '/ajax.php'
cs-uri-query|contains:
- 'f=install:ui'
- 'a=databaseConnectivity'
condition: selection- →Check for POST requests to /ajax.php?f=install:ui&a=databaseConnectivity containing single-quote injection patterns (e.g., ');) in the 'user' parameter, indicating an attempt to break out of the define() string context in config.php. ↗
- →Injected PHP code persists in config.php and executes on every subsequent page load; monitor config.php for unexpected modifications or PHP statements outside of define() calls. ↗
- →Unauthenticated access to the installer AJAX endpoint is the attack vector; alert on any unauthenticated POST to /ajax.php with query parameters f=install:ui and a=databaseConnectivity from external IPs. ↗
- ·The vulnerability is only exploitable when the OpenCATS installation wizard is incomplete/not finalized. Instances with a completed installation (installLocked present) are not vulnerable via this vector. ↗
- ·The Nuclei template uses a three-step flow: first confirming the installer is active, then injecting PHP, then verifying code execution via /index.php. All three steps must succeed for a confirmed positive; partial matches may indicate false positives. ↗
- ·Shodan and FOFA queries (title:"opencats") can be used to identify exposed OpenCATS instances for asset inventory, but do not confirm vulnerability without checking installer state. ↗
CVSS provenance
nvdv3.18.1HIGHCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.2CRITICALCVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck8.1HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
OpenCATS up to 0.9.7.4 AJAX Endpoint config.php define action code injection (EUVD-2026-26052)
vuldb·2026-04-28·CVSS 9.2
CVE-2026-27760 [CRITICAL] OpenCATS up to 0.9.7.4 AJAX Endpoint config.php define action code injection (EUVD-2026-26052)
A vulnerability identified as critical has been detected in OpenCATS up to 0.9.7.4. This affects the function define of the file config.php of the component AJAX Endpoint. This manipulation of the argument action causes code injection.
This vulnerability is tracked as CVE-2026-27760. The attack is possible to be carried out remotely. No exploit exists.
It is suggested to install a patch to address this issue.
GHSA
GHSA-h957-4jfh-qc3p: OpenCATS prior to commit 3002a29 contains a PHP code injection vulnerability in the installer AJAX endpoint that allows unauthenticated attackers to e
ghsa_unreviewed·2026-04-28
CVE-2026-27760 [CRITICAL] CWE-94 GHSA-h957-4jfh-qc3p: OpenCATS prior to commit 3002a29 contains a PHP code injection vulnerability in the installer AJAX endpoint that allows unauthenticated attackers to e
OpenCATS prior to commit 3002a29 contains a PHP code injection vulnerability in the installer AJAX endpoint that allows unauthenticated attackers to execute arbitrary code by injecting PHP statements into the databaseConnectivity action parameter. Attackers can break out of the define() string context in config.php using a single quote and statement separator to inject malicious PHP code that persists and executes on every subsequent page load when the installation wizard remains incomplete.
VulnCheck
opencats opencats Improper Control of Generation of Code ('Code Injection')
vulncheck·2026·CVSS 8.1
CVE-2026-27760 [HIGH] opencats opencats Improper Control of Generation of Code ('Code Injection')
opencats opencats Improper Control of Generation of Code ('Code Injection')
OpenCATS prior to commit 3002a29 contains a PHP code injection vulnerability in the installer AJAX endpoint that allows unauthenticated attackers to execute arbitrary code by injecting PHP statements into the databaseConnectivity action parameter. Attackers can break out of the define() string context in config.php using a single quote and statement separator to inject malicious PHP code that persists and executes on every subsequent page load when the installation wizard remains incomplete.
Affected: opencats opencats
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://api.vu
No detection rules found.
Nuclei
OpenCATS - Command Injection
nuclei·CVSS 8.1
CVE-2026-27760 [HIGH] OpenCATS - Command Injection
OpenCATS - Command Injection
OpenCATS prior to commit 3002a29 contains a command injection caused by injection of PHP statements into the installer AJAX endpoint's databaseConnectivity action parameter, letting unauthenticated attackers execute arbitrary code, exploit requires incomplete installation wizard.
Template:
id: CVE-2026-27760
info:
name: OpenCATS - Command Injection
author: theamanrawat
severity: high
description: |
OpenCATS prior to commit 3002a29 contains a command injection caused by injection of PHP statements into the installer AJAX endpoint's databaseConnectivity action parameter, letting unauthenticated attackers execute arbitrary code, exploit requires incomplete installation wizard.
impact: |
Unauthenticated attackers can execute arbitrary PHP code remotely, leading
No writeups or analysis indexed.
https://chocapikk.com/posts/2026/opencats-installer-rce/https://github.com/opencats/OpenCATS/blob/46e4727/lib/CATSUtility.php#L142-L172https://github.com/opencats/OpenCATS/blob/46e4727/modules/install/ajax/ui.php#L130https://github.com/opencats/OpenCATS/commit/3002a29f4c3cada1aa2c4f3d4ae4e189906606b6https://github.com/opencats/OpenCATS/pull/706https://www.vulncheck.com/advisories/opencats-php-code-injection-via-installer-ajax-endpoint
2026-04-28
Published
Exploited in the wild