CVE-2026-49490

Vulnerability

OpenCATS version 0.9.1a contains an SQL injection vulnerability in the DataGrid filter handling for the Candidates "Tags" column. The server-side filter processing accepts crafted filter input for columns that exist in the DataGrid column configuration even when the column is explicitly marked as non-filterable (filterable => false). This allows an authenticated attacker to inject SQL through a crafted filter targeting the non-filterable Tags column [1][2].

Exploitation

An attacker must be authenticated and able to access the affected DataGrid endpoint. By manipulating filter requests to include SQL payloads in the filter parameters for the Tags column, the attacker can bypass the column filterable restriction. The server processes the filter without proper sanitization, leading to SQL injection [1].

Impact

Successful exploitation allows the attacker to execute arbitrary SQL queries against the database. This can lead to disclosure of sensitive data, modification or deletion of database records, and potential escalation of privileges depending on the database user permissions. The CVSS v3 score is 8.1 (High) [2].

Mitigation

The issue is patched by skipping server-side filter processing for columns marked as non-filterable before any filter rendering logic is executed. Users should upgrade to a release containing the fix once available. There is no complete application-level workaround; as a temporary measure, administrators may restrict access to affected DataGrid endpoints to trusted users only [1].