VYPR
AI Brief2026-06-01· generated Jun 1, 2026

OpenCATS SQL Injection And Git LFS Path Traversal Flaws

OpenCATS recruitment software faces high-severity SQL injection risks while a path traversal flaw in Git LFS threatens development environment integrity.

OpenCATS is currently facing scrutiny due to two high-severity SQL injection vulnerabilities that could allow authenticated attackers to compromise sensitive database information. The flaws, identified as CVE-2026-49489 and CVE-2026-49490, reside in the DataGrid component and affect versions through 0.9.7.4 and starting from 0.9.1a respectively. By manipulating the sortDirection parameter or injecting crafted filters into the Tags column, an attacker can bypass standard input validation. These vulnerabilities pose a significant risk to recruitment platforms relying on the software, as they enable unauthorized data extraction. Administrators are urged to review their current deployment and apply available patches to mitigate these injection vectors.

A critical path traversal vulnerability has been identified in Git LFS, impacting versions 0.5.2 through 3.7.0. Tracked as CVE-2025-26625, this flaw occurs when the extension populates a repository's working tree, potentially allowing malicious Git LFS commands to write files outside the intended directory. This behavior could be leveraged to overwrite system files or place malicious binaries in sensitive locations if an attacker controls the repository contents. Given the widespread use of Git LFS in development workflows, this issue represents a notable supply-chain risk for CI/CD pipelines. Users should update to the latest version of Git LFS to ensure that file operations are properly constrained to the repository root.

The Libjxl Project has disclosed a heap buffer overflow vulnerability affecting version 0.12.0 of its library, specifically within the image decoding logic. The vulnerability, designated as CVE-2025-70103, is triggered when the library processes a maliciously crafted PBM image via the jxl::extras::DecodeImagePNM function. Successful exploitation could lead to memory corruption, potentially resulting in application crashes or arbitrary code execution depending on the environment. While the impact is localized to systems processing untrusted image data, developers integrating this library should prioritize updating to a patched version to prevent potential exploitation.

Synthesized by Vypr AI
OpenCATS SQL Injection And Git LFS Path Traversal Flaws · VYPR