CVE-2026-27760:
CVE-2026-27760 is a critical PHP code injection vulnerability in OpenCATS prior to commit 3002a29 that allows unauthenticated remote attackers to execute arbitrary code via the installer AJAX endpoint.
Score
A numerical rating that indicates how dangerous this vulnerability is.
8.1High- Published Date:Apr 28, 2026
- CISA KEV Date:*No Data*
- Industries Affected:20
Exploitability
- Score:2.2
- Attack Vector:NETWORK
- Attack Complexity:HIGH
- Privileges Required:NONE
- User Interaction:NONE
- Scope:UNCHANGED
Impact
- Score:5.9
- Confidentiality Impact:HIGH
- Integrity Impact:HIGH
- Availability Impact:HIGH
Description Preview
CVE-2026-27760 is a critical PHP code injection vulnerability in OpenCATS prior to commit 3002a29 that allows unauthenticated remote attackers to execute arbitrary code via the installer AJAX endpoint.
Overview
CVE-2026-27760 affects OpenCATS versions prior to commit 3002a29 and represents a PHP code injection flaw (CWE-94) residing in the installer AJAX endpoint (`modules/install/ajax/ui.php`). The vulnerable handling of the `databaseConnectivity` action parameter in `CATSUtility.php` allows an unauthenticated network-based attacker to inject and persist arbitrary PHP code into the application's `config.php` file. Because the injected payload survives across requests and executes on every page load during an incomplete installation, the attack surface remains open for the duration of any unfinished setup process. The high attack complexity (AC:H) reflects the requirement that the installation wizard must be in an incomplete state, yet no privileges or user interaction are needed to trigger exploitation. The CVSS 4.0 score of 9.2 and CVSS 3.1 score of 8.1 both reflect the critical nature of full remote code execution achievable by an unauthenticated attacker.
Remediation
- Administrators and operators of OpenCATS should update to a version that includes commit 3002a29f4c3cada1aa2c4f3d4ae4e189906606b6 or later, which resolves the unsafe handling of user input in the installer AJAX endpoint. If an immediate upgrade is not possible, the installation wizard should be disabled or restricted from public access after the initial setup is complete, as the vulnerability is only exploitable while the installation wizard remains in an incomplete state. Network-level controls such as web application firewalls or access restrictions on the install directory can serve as interim mitigations. Any existing `config.php` files on potentially exposed instances should be inspected for unexpected or injected PHP code.
References
- - [VulnCheck Advisory: OpenCATS PHP Code Injection via Installer AJAX Endpoint](https://www.vulncheck.com/advisories/opencats-php-code-injection-via-installer-ajax-endpoint)
- - [Researcher Write-Up: OpenCATS Installer RCE (chocapikk.com)](https://chocapikk.com/posts/2026/opencats-installer-rce/)
- - [Fix Commit 3002a29 on GitHub](https://github.com/opencats/OpenCATS/commit/3002a29f4c3cada1aa2c4f3d4ae4e189906606b6)
- - [OpenCATS Pull Request #706](https://github.com/opencats/OpenCATS/pull/706)
- - [Vulnerable Code: CATSUtility.php Lines 142–172](https://github.com/opencats/OpenCATS/blob/46e4727/lib/CATSUtility.php#L142-L172)
- - [Vulnerable Code: modules/install/ajax/ui.php Line 130](https://github.com/opencats/OpenCATS/blob/46e4727/modules/install/ajax/ui.php#L130)
Industries Affected
Below is a list of industries most commonly impacted or potentially at risk based on intelligence.
