CVE-2026-49489

Deferred Deferred - Pending Action

SQL Injection in OpenCATS via DataGrid sortDirection Parameter

Publication date: 2026-05-31

Last updated on: 2026-05-31

Assigner: VulnCheck

Description

OpenCATS through 0.9.7.4 contains a sql injection vulnerability in the sortDirection parameter of the DataGrid component that allows authenticated users to extract database contents. Attackers can inject malicious SQL via the sortDirection parameter in ajax/getDataGridPager.php to perform time-based blind injection attacks and read sensitive data.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published

2026-05-31

Last Modified

2026-05-31

Generated

2026-06-20

AI Q&A

2026-05-31

EPSS Evaluated

2026-06-19

NVD

CVE-2026-49489

EUVD

EUVD-2026-33501

Affected Vendors & Products

Vendor	Product	Version / Range
opencats	opencats	to 0.9.7.4 (exc)

Helpful Resources

Exploitability

CWE

KEV

CWE ID	Description
CWE-89	The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

CWE ID

Description

CWE-89

The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

Executive Summary

CVE-2026-49489 is a high-severity SQL injection vulnerability in OpenCATS version 0.9.7.4 and earlier. It exists in the DataGrid component, specifically in the sortDirection parameter of the ajax/getDataGridPager.php endpoint. Authenticated users can inject malicious SQL code via this parameter because it is concatenated directly into SQL queries without proper validation.

This flaw allows attackers to perform time-based blind SQL injection attacks, enabling them to extract sensitive database contents such as user credentials, personal identifiable information (PII), and other confidential data.

Impact Analysis

This vulnerability can lead to unauthorized access to sensitive and confidential data stored in the OpenCATS database. Attackers can extract information such as database version, database name, user counts, individual user credentials including usernames, access levels, and hashed passwords.

Because the attack requires only basic authentication and a single GET request, it can be exploited easily on default configurations, potentially compromising the integrity and confidentiality of your data.

The impact includes data breaches, exposure of personal and sensitive information, and potential further exploitation of compromised credentials.

Detection Guidance

This vulnerability can be detected by testing the sortDirection parameter in the ajax/getDataGridPager.php endpoint for SQL injection vulnerabilities. Authenticated users can attempt time-based blind SQL injection by injecting payloads that cause delays, such as using SQL functions like IF() and SLEEP().

A common detection method involves sending crafted HTTP GET requests with malicious SQL payloads in the sortDirection parameter and observing response delays to confirm the vulnerability.

Use curl or similar tools to send requests with payloads that cause time delays, for example:
curl -i -s -k -X GET 'http://target/ajax/getDataGridPager.php?sortDirection=ASC' --cookie 'auth=your_auth_cookie'
Modify the sortDirection parameter to include a time delay payload, such as: ASC' AND IF(1=1,SLEEP(5),0)--

If the response time increases significantly (e.g., by 5 seconds), it indicates the presence of a time-based blind SQL injection vulnerability.

Mitigation Strategies

Immediate mitigation steps include applying patches or updates provided by the OpenCATS project that fix the SQL injection vulnerability in the DataGrid component.

If patches are not immediately available, restrict or disable access to the ajax/getDataGridPager.php endpoint or the affected DataGrid functionality for authenticated users until a fix is applied.

Implement web application firewall (WAF) rules to detect and block malicious SQL injection payloads targeting the sortDirection parameter.

Review and enforce strict input validation and sanitization on all user-controllable parameters, especially sortDirection, to prevent injection of SQL special characters.

Monitor logs for suspicious activity related to the DataGrid component and unauthorized data access attempts.

Compliance Impact

The SQL injection vulnerability in OpenCATS allows authenticated attackers to extract sensitive database contents, including user credentials and personally identifiable information (PII).

Unauthorized access to such sensitive data can lead to violations of data protection regulations like GDPR and HIPAA, which require safeguarding personal and confidential information against unauthorized disclosure.

Therefore, this vulnerability poses a significant risk to compliance with these standards by potentially exposing protected data through unauthorized database extraction.

Hi! I’m here to help you understand CVE-2026-49489. Ask me anything about the vulnerability, its impact, or mitigation strategies.

0/70

CVE-2026-49489

SQL Injection in OpenCATS via DataGrid sortDirection Parameter

Description

CVSS Scores

EPSS Scores

Meta Information

Affected Vendors & Products

Helpful Resources

Exploitability

Attack-Flow Graph

AI Quick Actions

Chat Assistant

EPSS Chart