PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-27760 opencats CVE debrief

A critical vulnerability was discovered in OpenCATS, a popular open-source candidate management system. CVE-2026-27760 is a PHP code injection vulnerability that exists in the installer AJAX endpoint. This vulnerability allows unauthenticated attackers to execute arbitrary PHP code by injecting malicious statements into the databaseConnectivity action parameter. The vulnerability arises from the lack of proper input validation and sanitization in the installer script. Attackers can exploit this vulnerability by breaking out of the define() string context in config.php using a single quote and statement separator. This injected code persists and executes on every subsequent page load when the installation wizard remains incomplete.

Vendor
opencats
Product
Unknown
CVSS
CRITICAL 9.2
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-28
Original CVE updated
2026-07-14
Advisory published
2026-04-28
Advisory updated
2026-07-14

Who should care

Administrators and users of OpenCATS prior to commit 3002a29 should be aware of this critical vulnerability. This vulnerability can be exploited by unauthenticated attackers, making it a high-risk issue for organizations using the affected versions of OpenCATS. IT teams responsible for maintaining and securing OpenCATS installations should prioritize patching this vulnerability to prevent potential attacks.

Technical summary

CVE-2026-27760 is a PHP code injection vulnerability in the OpenCATS installer AJAX endpoint. The vulnerability occurs due to insufficient input validation and sanitization in the databaseConnectivity action parameter. Attackers can inject malicious PHP code by using a single quote and statement separator to break out of the define() string context in config.php. The injected code persists and executes on every subsequent page load when the installation wizard is not completed. This vulnerability has a CVSS score of 9.2 and is classified as CRITICAL.

Defensive priority

High

Recommended defensive actions

  • Apply the patch from commit 3002a29 or upgrade to a patched version of OpenCATS.
  • Review and validate the installation wizard completion status.
  • Implement additional input validation and sanitization for the databaseConnectivity action parameter.
  • Monitor OpenCATS installations for suspicious activity.
  • Consider implementing a web application firewall (WAF) to detect and prevent similar attacks.

Evidence notes

The CVE record was published on 2026-04-28T15:16:26.800Z and was last modified on 2026-07-14T19:16:53.277Z. The NVD entry is currently Deferred. The vulnerability was disclosed by [email protected] via multiple sources, including a detailed advisory on vulncheck.com and several GitHub references.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-04-28T15:16:26.800Z and has not been modified since then. The NVD entry is currently Deferred.