CVE-2026-49490 OpenCATS CVE debrief

Who should care

Organizations running OpenCATS 0.9.1a or later for applicant tracking and recruitment management. Database administrators responsible for OpenCATS backend security. Security teams monitoring for authenticated SQL injection vectors in PHP-based web applications.

Technical summary

The vulnerability resides in OpenCATS DataGrid filter processing where the Tags column in the Candidates DataGrid, designated as non-filterable, can be manipulated through crafted HTTP requests. The filter handling logic fails to properly validate or restrict filter parameters, allowing SQL injection payloads to bypass intended column restrictions. An authenticated attacker can construct malicious filter requests that execute arbitrary SQL against the database. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N) reflects network accessibility, low attack complexity, low privilege requirements, and high impacts to confidentiality and integrity with no availability impact.

Defensive priority

HIGH

Recommended defensive actions

• Apply patches from the OpenCATS project when available, monitoring the GitHub security advisory for updates
• Restrict network access to OpenCATS instances to authorized users and trusted networks
• Review database query logs for anomalous filter requests targeting the Candidates DataGrid Tags column
• Implement Web Application Firewall (WAF) rules to detect and block SQL injection patterns in DataGrid filter parameters
• Validate that DataGrid filter restrictions are properly enforced server-side for all columns including Tags
• Conduct database integrity checks and review for unauthorized data access if exploitation is suspected

Evidence notes

Vulnerability confirmed through official GitHub security advisory (GHSA-gmpc-j6h7-vw74) and Vulncheck advisory. CVSS 4.0 vector indicates network attack vector with low attack complexity, low privileges required, and no user interaction needed.

Official resources