OpenCATS PHP Code Injection Vulnerability (CVE-2026-27760)

CVE-2026-27760 is a critical PHP code injection vulnerability that affects OpenCATS, a web-based applicant tracking system, in versions prior to commit 3002a29. The vulnerability resides in the installer AJAX endpoint, specifically within the databaseConnectivity action parameter. Unauthenticated attackers can exploit this flaw by injecting arbitrary PHP code into this parameter. This injected code allows attackers to execute arbitrary commands on the server. The vulnerability is triggered during the initial setup phase, when the installation wizard is not yet complete and continues to execute on every subsequent page load. This vulnerability poses a significant risk to organizations using vulnerable versions of OpenCATS, as it can lead to complete system compromise, data theft, or denial of service.

Attack Chain

1. An unauthenticated attacker sends a crafted HTTP POST request to the OpenCATS installer AJAX endpoint (/install/ajax.php).
2. The request includes the databaseConnectivity action parameter.
3. The attacker injects PHP code into the databaseConnectivity parameter, breaking out of the define() string context in config.php with a single quote and statement separator.
4. The injected code is then processed by the server, leading to arbitrary PHP code execution within the context of the web server user.
5. The injected code persists because it’s written to the config.php file.
6. Every subsequent page load executes the injected PHP code, even after the initial malicious request.
7. The attacker can use the code execution to install a web shell for persistent access.
8. With the web shell, the attacker can perform various malicious activities, including reading sensitive files, modifying the database, or pivoting to other systems on the network.

Impact

Successful exploitation of CVE-2026-27760 allows unauthenticated attackers to execute arbitrary PHP code on the affected OpenCATS server. This can lead to complete system compromise, including the theft of sensitive applicant data, modification of application settings, and the installation of backdoors for persistent access. Given that OpenCATS handles applicant data, a successful attack could result in a significant data breach and reputational damage. The vulnerability exists in the installer and persists throughout subsequent page loads as long as the installation wizard remains incomplete, making it highly impactful.

Recommendation

• Upgrade OpenCATS to a version containing commit 3002a29 or later to remediate CVE-2026-27760.
• Monitor web server logs for suspicious POST requests to /install/ajax.php containing PHP code in the databaseConnectivity parameter to detect exploitation attempts (see rule: “Detect OpenCATS installer code injection attempt”).
• Implement a Web Application Firewall (WAF) rule to block requests containing PHP code in the databaseConnectivity parameter.
• Review and restrict access to the /install/ directory after completing the installation process to prevent accidental or malicious access to the installer.