CVE-2026-27760
Received Received - Intake
PHP Code Injection in OpenCATS Installer Enables Remote Code Execution

Publication date: 2026-04-28

Last updated on: 2026-04-28

Assigner: VulnCheck

Description
OpenCATS prior to commit 3002a29 contains a PHP code injection vulnerability in the installer AJAX endpoint that allows unauthenticated attackers to execute arbitrary code by injecting PHP statements into the databaseConnectivity action parameter. Attackers can break out of the define() string context in config.php using a single quote and statement separator to inject malicious PHP code that persists and executes on every subsequent page load when the installation wizard remains incomplete.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-28
Last Modified
2026-04-28
Generated
2026-06-16
AI Q&A
2026-04-28
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27760
EUVD
EUVD-2026-26052
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
opencats opencats to 3002a29 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-27760 is a critical PHP code injection vulnerability in OpenCATS versions prior to commit 3002a29. It exists in the installer's AJAX endpoint, specifically in the databaseConnectivity action parameter. Unauthenticated attackers can inject arbitrary PHP code by breaking out of the define() string context in the config.php file using a single quote and statement separator. This malicious PHP code is then persistently stored and executed on every subsequent page load as long as the installation wizard remains incomplete.

The vulnerability arises because the installer AJAX endpoint writes user-supplied input directly into the config.php file without proper sanitization or escaping. Attackers exploit this by injecting PHP statements that get executed globally within the application.

Impact Analysis

This vulnerability allows unauthenticated remote attackers to execute arbitrary PHP code on the server running OpenCATS. This can lead to full system compromise, including unauthorized access, data theft, data modification, and disruption of service.

  • Attackers can run arbitrary commands on the server.
  • Confidential data stored in the system can be exposed or altered.
  • The integrity and availability of the application can be severely impacted.

The vulnerability has a high CVSS v4 score of 9.2, indicating critical severity with network attack vector, no privileges or user interaction required, and high impacts on confidentiality, integrity, and availability.

Detection Guidance

This vulnerability can be detected by checking if the OpenCATS installer AJAX endpoint is accessible and vulnerable. Specifically, you can send a GET request to the installer AJAX endpoint to verify if the installation wizard is incomplete and the endpoint is exposed.

  • Send a GET request to `/ajax.php?f=install:ui&a=databaseConnectivity`.

If the response contains the string `setActiveStep`, it indicates that the installer is active and vulnerable. If the response contains `installLocked`, it means the installation is complete and the endpoint is protected.

  • Example command using curl to check installer accessibility: `curl -i 'http://<target>/ajax.php?f=install:ui&a=databaseConnectivity'`

This check helps determine if the vulnerable installer AJAX endpoint is exposed and can be targeted for PHP code injection.

Mitigation Strategies

Immediate mitigation steps involve restricting access to the installer AJAX endpoint and applying the security patch that properly escapes configuration values.

  • Ensure the installation wizard is completed so that the `INSTALL_BLOCK` file is created, which disables the vulnerable installer AJAX endpoint.
  • Apply the security update that restricts AJAX requests during installation or upgrade to only allow installer-specific actions, rejecting all others.
  • Update the code to escape all installer configuration values using PHP's `var_export()` function before writing them to `config.php` to prevent code injection.

These steps prevent unauthorized AJAX requests during installation and secure the configuration file from malicious code injection.

Compliance Impact

CVE-2026-27760 is a critical PHP code injection vulnerability that allows unauthenticated attackers to execute arbitrary code on the OpenCATS system by injecting malicious PHP statements into configuration files. This vulnerability can lead to unauthorized access, data manipulation, and potential full system compromise.

Such unauthorized access and control over the system can result in breaches of confidentiality, integrity, and availability of sensitive data managed by OpenCATS, including personal and applicant information.

Consequently, this vulnerability poses a significant risk to compliance with common data protection standards and regulations such as GDPR and HIPAA, which mandate strict controls to protect personal and sensitive data from unauthorized access and breaches.

Failure to address this vulnerability could lead to violations of these regulations, resulting in legal penalties, reputational damage, and loss of trust.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27760. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart