{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2021-47936/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2021-47936"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["OpenCATS 0.9.4"],"_cs_severities":["critical"],"_cs_tags":["CVE-2021-47936","rce","opencats","vulnerability"],"_cs_type":"threat","_cs_vendors":["OpenCATS"],"content_html":"\u003cp\u003eOpenCATS 0.9.4 contains a remote code execution vulnerability, identified as CVE-2021-47936, that allows unauthenticated attackers to execute arbitrary commands. The vulnerability stems from the application\u0026rsquo;s handling of resume attachments uploaded through the careers/job application endpoint. By disguising malicious PHP files as legitimate resumes, attackers can bypass upload restrictions and inject executable code into the server\u0026rsquo;s upload directory. Successful exploitation allows attackers to execute system commands via POST requests to the uploaded PHP file, potentially leading to full system compromise. This vulnerability poses a significant risk to organizations using OpenCATS 0.9.4, as it requires no authentication and can be exploited remotely.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker accesses the careers/job application endpoint of an OpenCATS 0.9.4 instance.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious PHP file containing the desired payload (e.g., a reverse shell or command execution).\u003c/li\u003e\n\u003cli\u003eThe attacker disguises the PHP file as a resume attachment (e.g., by changing the file extension or embedding it within a PDF).\u003c/li\u003e\n\u003cli\u003eThe attacker uploads the malicious file through the job application form.\u003c/li\u003e\n\u003cli\u003eThe OpenCATS application saves the uploaded file to the server\u0026rsquo;s upload directory (location varies based on configuration).\u003c/li\u003e\n\u003cli\u003eThe attacker identifies the location and filename of the uploaded file.\u003c/li\u003e\n\u003cli\u003eThe attacker sends a POST request to the uploaded PHP file, including the system commands to be executed in the request body.\u003c/li\u003e\n\u003cli\u003eThe server executes the commands specified in the POST request, enabling the attacker to achieve remote code execution.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2021-47936 allows unauthenticated attackers to execute arbitrary commands on the OpenCATS server. This can lead to complete system compromise, data theft, and denial of service. Given the nature of OpenCATS, a recruitment applicant tracking system, the impact includes exposure of sensitive applicant data. Since the exploit is unauthenticated, any OpenCATS 0.9.4 instance exposed to the internet is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply available patches or upgrade to a supported version of OpenCATS to remediate CVE-2021-47936.\u003c/li\u003e\n\u003cli\u003eImplement strict file type validation on all file upload endpoints, blocking the upload of executable files (e.g., PHP, ASP, JSP).\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious POST requests targeting files in the upload directory as detected by the Sigma rule \u0026ldquo;Detect OpenCATS RCE via Resume Upload\u0026rdquo;.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules in this brief to your SIEM and tune for your environment.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-10T13:19:13Z","date_published":"2026-05-10T13:19:13Z","id":"https://feed.craftedsignal.io/briefs/2026-05-opencats-rce/","summary":"OpenCATS 0.9.4 is vulnerable to remote code execution (CVE-2021-47936) allowing unauthenticated attackers to execute arbitrary commands by uploading malicious PHP files disguised as resume attachments through the careers job application endpoint, leading to potential system compromise.","title":"OpenCATS 0.9.4 Remote Code Execution Vulnerability (CVE-2021-47936)","url":"https://feed.craftedsignal.io/briefs/2026-05-opencats-rce/"}],"language":"en","title":"CraftedSignal Threat Feed — CVE-2021-47936","version":"https://jsonfeed.org/version/1.1"}