CVE-2026-27760 CRITICAL

CVE-2026-27760: OpenCATS PHP Code Injection via installer AJAX endpoint

Vendor Opencats

Product OpenCATS

Weakness CWE-94 · Code injection

Published April 28, 2026

Last update May 11, 2026

View on NVD All CVEs

CVSS base score

9.2/10

Attack vector Network

Attack complexity High

Privileges required None

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

Description

OpenCATS prior to commit 3002a29 contains a PHP code injection vulnerability in the installer AJAX endpoint that allows unauthenticated attackers to execute arbitrary code by injecting PHP statements into the databaseConnectivity action parameter. Attackers can break out of the define() string context in config.php using a single quote and statement separator to inject malicious PHP code that persists and executes on every subsequent page load when the installation wizard remains incomplete.

Key dates

Disclosure timeline

April 28, 2026 CVE published

May 11, 2026 Record updated