CVE-2026-27760
PHP Code Injection in OpenCATS Installer Enables Remote Code Execution
Publication date: 2026-04-28
Last updated on: 2026-04-28
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| opencats | opencats | to 3002a29 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-27760 is a critical PHP code injection vulnerability in OpenCATS versions prior to commit 3002a29. It exists in the installer's AJAX endpoint, specifically in the databaseConnectivity action parameter. Unauthenticated attackers can inject arbitrary PHP code by breaking out of the define() string context in the config.php file using a single quote and statement separator. This malicious PHP code is then persistently stored and executed on every subsequent page load as long as the installation wizard remains incomplete.
The vulnerability arises because the installer AJAX endpoint writes user-supplied input directly into the config.php file without proper sanitization or escaping. Attackers exploit this by injecting PHP statements that get executed globally within the application.
How can this vulnerability impact me? :
This vulnerability allows unauthenticated remote attackers to execute arbitrary PHP code on the server running OpenCATS. This can lead to full system compromise, including unauthorized access, data theft, data modification, and disruption of service.
- Attackers can run arbitrary commands on the server.
- Confidential data stored in the system can be exposed or altered.
- The integrity and availability of the application can be severely impacted.
The vulnerability has a high CVSS v4 score of 9.2, indicating critical severity with network attack vector, no privileges or user interaction required, and high impacts on confidentiality, integrity, and availability.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the OpenCATS installer AJAX endpoint is accessible and vulnerable. Specifically, you can send a GET request to the installer AJAX endpoint to verify if the installation wizard is incomplete and the endpoint is exposed.
- Send a GET request to `/ajax.php?f=install:ui&a=databaseConnectivity`.
If the response contains the string `setActiveStep`, it indicates that the installer is active and vulnerable. If the response contains `installLocked`, it means the installation is complete and the endpoint is protected.
- Example command using curl to check installer accessibility: `curl -i 'http://<target>/ajax.php?f=install:ui&a=databaseConnectivity'`
This check helps determine if the vulnerable installer AJAX endpoint is exposed and can be targeted for PHP code injection.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps involve restricting access to the installer AJAX endpoint and applying the security patch that properly escapes configuration values.
- Ensure the installation wizard is completed so that the `INSTALL_BLOCK` file is created, which disables the vulnerable installer AJAX endpoint.
- Apply the security update that restricts AJAX requests during installation or upgrade to only allow installer-specific actions, rejecting all others.
- Update the code to escape all installer configuration values using PHP's `var_export()` function before writing them to `config.php` to prevent code injection.
These steps prevent unauthorized AJAX requests during installation and secure the configuration file from malicious code injection.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-27760 is a critical PHP code injection vulnerability that allows unauthenticated attackers to execute arbitrary code on the OpenCATS system by injecting malicious PHP statements into configuration files. This vulnerability can lead to unauthorized access, data manipulation, and potential full system compromise.
Such unauthorized access and control over the system can result in breaches of confidentiality, integrity, and availability of sensitive data managed by OpenCATS, including personal and applicant information.
Consequently, this vulnerability poses a significant risk to compliance with common data protection standards and regulations such as GDPR and HIPAA, which mandate strict controls to protect personal and sensitive data from unauthorized access and breaches.
Failure to address this vulnerability could lead to violations of these regulations, resulting in legal penalties, reputational damage, and loss of trust.