{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/products/opencats/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":8.1,"id":"CVE-2026-27760"}],"_cs_exploited":false,"_cs_products":["OpenCATS"],"_cs_severities":["critical"],"_cs_tags":["code-injection","php","opencats","cve-2026-27760"],"_cs_type":"advisory","_cs_vendors":["OpenCATS"],"content_html":"\u003cp\u003eCVE-2026-27760 is a critical PHP code injection vulnerability that affects OpenCATS, a web-based applicant tracking system, in versions prior to commit 3002a29. The vulnerability resides in the installer AJAX endpoint, specifically within the \u003ccode\u003edatabaseConnectivity\u003c/code\u003e action parameter. Unauthenticated attackers can exploit this flaw by injecting arbitrary PHP code into this parameter. This injected code allows attackers to execute arbitrary commands on the server. The vulnerability is triggered during the initial setup phase, when the installation wizard is not yet complete and continues to execute on every subsequent page load. This vulnerability poses a significant risk to organizations using vulnerable versions of OpenCATS, as it can lead to complete system compromise, data theft, or denial of service.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker sends a crafted HTTP POST request to the OpenCATS installer AJAX endpoint (\u003ccode\u003e/install/ajax.php\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe request includes the \u003ccode\u003edatabaseConnectivity\u003c/code\u003e action parameter.\u003c/li\u003e\n\u003cli\u003eThe attacker injects PHP code into the \u003ccode\u003edatabaseConnectivity\u003c/code\u003e parameter, breaking out of the \u003ccode\u003edefine()\u003c/code\u003e string context in \u003ccode\u003econfig.php\u003c/code\u003e with a single quote and statement separator.\u003c/li\u003e\n\u003cli\u003eThe injected code is then processed by the server, leading to arbitrary PHP code execution within the context of the web server user.\u003c/li\u003e\n\u003cli\u003eThe injected code persists because it\u0026rsquo;s written to the \u003ccode\u003econfig.php\u003c/code\u003e file.\u003c/li\u003e\n\u003cli\u003eEvery subsequent page load executes the injected PHP code, even after the initial malicious request.\u003c/li\u003e\n\u003cli\u003eThe attacker can use the code execution to install a web shell for persistent access.\u003c/li\u003e\n\u003cli\u003eWith the web shell, the attacker can perform various malicious activities, including reading sensitive files, modifying the database, or pivoting to other systems on the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-27760 allows unauthenticated attackers to execute arbitrary PHP code on the affected OpenCATS server. This can lead to complete system compromise, including the theft of sensitive applicant data, modification of application settings, and the installation of backdoors for persistent access. Given that OpenCATS handles applicant data, a successful attack could result in a significant data breach and reputational damage. The vulnerability exists in the installer and persists throughout subsequent page loads as long as the installation wizard remains incomplete, making it highly impactful.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade OpenCATS to a version containing commit 3002a29 or later to remediate CVE-2026-27760.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests to \u003ccode\u003e/install/ajax.php\u003c/code\u003e containing PHP code in the \u003ccode\u003edatabaseConnectivity\u003c/code\u003e parameter to detect exploitation attempts (see rule: \u0026ldquo;Detect OpenCATS installer code injection attempt\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eImplement a Web Application Firewall (WAF) rule to block requests containing PHP code in the \u003ccode\u003edatabaseConnectivity\u003c/code\u003e parameter.\u003c/li\u003e\n\u003cli\u003eReview and restrict access to the \u003ccode\u003e/install/\u003c/code\u003e directory after completing the installation process to prevent accidental or malicious access to the installer.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T12:00:00Z","date_published":"2024-01-03T12:00:00Z","id":"/briefs/2024-01-opencats-code-injection/","summary":"Unauthenticated attackers can exploit a PHP code injection vulnerability in OpenCATS versions prior to commit 3002a29 by injecting malicious PHP code into the installer's AJAX endpoint, leading to arbitrary code execution.","title":"OpenCATS PHP Code Injection Vulnerability (CVE-2026-27760)","url":"https://feed.craftedsignal.io/briefs/2024-01-opencats-code-injection/"}],"language":"en","title":"CraftedSignal Threat Feed — OpenCATS","version":"https://jsonfeed.org/version/1.1"}