High severity8.1NVD Advisory· Published Apr 28, 2026· Updated Apr 28, 2026

CVE-2026-27760

Description

OpenCATS prior to commit 3002a29 contains a PHP code injection vulnerability in the installer AJAX endpoint that allows unauthenticated attackers to execute arbitrary code by injecting PHP statements into the databaseConnectivity action parameter. Attackers can break out of the define() string context in config.php using a single quote and statement separator to inject malicious PHP code that persists and executes on every subsequent page load when the installation wizard remains incomplete.

Affected products

Opencats/Opencatsreferences2 versions
(expand)+ 1 more
- (no CPE)
- (no CPE)range: < commit 3002a29

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

chocapikk.com/posts/2026/opencats-installer-rce/nvd
github.com/opencats/OpenCATS/blob/46e4727/lib/CATSUtility.phpnvd
github.com/opencats/OpenCATS/blob/46e4727/modules/install/ajax/ui.phpnvd
github.com/opencats/OpenCATS/commit/3002a29f4c3cada1aa2c4f3d4ae4e189906606b6nvd
github.com/opencats/OpenCATS/pull/706nvd
www.vulncheck.com/advisories/opencats-php-code-injection-via-installer-ajax-endpointnvd

News mentions

No linked articles in our index yet.

cvss	0.526
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000