PatchSiren cyber security CVE debrief
CVE-2026-27760 opencats CVE debrief
A critical vulnerability was discovered in OpenCATS, a popular open-source candidate management system. CVE-2026-27760 is a PHP code injection vulnerability that exists in the installer AJAX endpoint. This vulnerability allows unauthenticated attackers to execute arbitrary PHP code by injecting malicious statements into the databaseConnectivity action parameter. The vulnerability arises from the lack of proper input validation and sanitization in the installer script. Attackers can exploit this vulnerability by breaking out of the define() string context in config.php using a single quote and statement separator. This injected code persists and executes on every subsequent page load when the installation wizard remains incomplete.
- Vendor
- opencats
- Product
- Unknown
- CVSS
- CRITICAL 9.2
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-28
- Original CVE updated
- 2026-07-14
- Advisory published
- 2026-04-28
- Advisory updated
- 2026-07-14
Who should care
Administrators and users of OpenCATS prior to commit 3002a29 should be aware of this critical vulnerability. This vulnerability can be exploited by unauthenticated attackers, making it a high-risk issue for organizations using the affected versions of OpenCATS. IT teams responsible for maintaining and securing OpenCATS installations should prioritize patching this vulnerability to prevent potential attacks.
Technical summary
CVE-2026-27760 is a PHP code injection vulnerability in the OpenCATS installer AJAX endpoint. The vulnerability occurs due to insufficient input validation and sanitization in the databaseConnectivity action parameter. Attackers can inject malicious PHP code by using a single quote and statement separator to break out of the define() string context in config.php. The injected code persists and executes on every subsequent page load when the installation wizard is not completed. This vulnerability has a CVSS score of 9.2 and is classified as CRITICAL.
Defensive priority
High
Recommended defensive actions
- Apply the patch from commit 3002a29 or upgrade to a patched version of OpenCATS.
- Review and validate the installation wizard completion status.
- Implement additional input validation and sanitization for the databaseConnectivity action parameter.
- Monitor OpenCATS installations for suspicious activity.
- Consider implementing a web application firewall (WAF) to detect and prevent similar attacks.
Evidence notes
The CVE record was published on 2026-04-28T15:16:26.800Z and was last modified on 2026-07-14T19:16:53.277Z. The NVD entry is currently Deferred. The vulnerability was disclosed by [email protected] via multiple sources, including a detailed advisory on vulncheck.com and several GitHub references.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-04-28T15:16:26.800Z and has not been modified since then. The NVD entry is currently Deferred.