🚨 BREAKING

OpenCATS 0.9.4 Critical RCE via Malicious Resume Uploads

/CRITICAL /CVSS 9.8/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvecriticalhigh-severityremote-code-executioncwe-306
OpenCATS 0.9.4 Critical RCE via Malicious Resume Uploads

The National Vulnerability Database has disclosed CVE-2021-47936, a critical remote code execution (RCE) vulnerability in OpenCATS version 0.9.4. This flaw allows unauthenticated attackers to execute arbitrary commands by uploading malicious PHP files disguised as resume attachments. The attack vector leverages the careers job application endpoint, enabling PHP payloads to be uploaded and subsequently executed via POST requests to the uploaded file in the system’s upload directory.

With a CVSS score of 9.8 (CRITICAL), this vulnerability poses a severe risk. It requires no authentication (AV:N, PR:N), has low attack complexity (AC:L), and needs no user interaction (UI:N). The impact is complete compromise of confidentiality, integrity, and availability (C:H, I:H, A:H). This is a textbook example of CWE-306, missing authentication for a critical function, combined with unrestricted file upload.

For defenders, this is a glaring red flag. An attacker only needs to find an exposed OpenCATS instance and submit a seemingly legitimate job application to gain a foothold. The ability to execute arbitrary code without authentication is the holy grail for initial access, potentially leading to full system compromise, data exfiltration, or further lateral movement within the network. This isn’t theoretical; it’s a direct path to a breach.

What This Means For You

  • If your organization uses OpenCATS 0.9.4, you must prioritize patching or isolating this system immediately. Audit your web server logs for any suspicious file uploads to the careers or upload directories, especially from unauthenticated sources, and check for unexpected POST requests to PHP files in those locations. This RCE is a critical attack vector.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1047 Windows Management Instrumentation Execution T1059.004 Command and Scripting Interpreter: Unix Shell Execution

🛡️ Detection Rules

5 rules · 6 SIEM formats

5 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.

high T1190 Initial Access

Web Application Exploitation Attempt — CVE-2021-47936

Sigma YAML — free preview 
title: Web Application Exploitation Attempt — CVE-2021-47936
id: scw-2026-05-10-1
status: experimental
level: high
description: |
  Detects common exploitation patterns targeting web applications. Review CVE-2021-47936 advisories for specific indicators.
author: SCW Feed Engine (auto-generated)
date: 2026-05-10
references:
  - https://shimiscyberworld.com/posts/nvd-CVE-2021-47936/
tags:
  - attack.initial_access
  - attack.t1190
logsource:
    category: webserver
detection:
  selection:
      cs-uri-query|contains:
        - '..'
        - 'SELECT'
        - 'UNION'
        - '<script'
        - 'cmd='
        - '/etc/passwd'
      condition: selection
falsepositives:
  - Legitimate activity from CVE-2021-47936

Source: Shimi's Cyber World · License & reuse

✓ Sigma · Splunk SPL Sentinel KQL Elastic QRadar AQL Wazuh Get rules for your SIEM →

Indicators of Compromise

IDTypeIndicator
CVE-2021-47936 RCE OpenCATS 0.9.4
CVE-2021-47936 RCE Unauthenticated file upload of malicious PHP files via resume attachments
CVE-2021-47936 RCE careers job application endpoint
CVE-2021-47936 RCE Execution of uploaded PHP files via POST requests in the upload directory

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 10, 2026 at 16:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

Aero CMS 0.0.1 Vulnerability Allows Authenticated PHP Code Injection

CVE-2022-50944 — Aero CMS 0.0.1 contains a PHP code injection vulnerability that allows authenticated attackers to execute arbitrary PHP code by uploading malicious files through...

vulnerabilityCVEhigh-severitycwe-94
/SCW Vulnerability Desk /HIGH /8.8 /⚑ 4 IOCs /⚙ 3 Sigma

CyberPanel 2.1 RCE via Symlink Attack (CVE-2021-47949)

CVE-2021-47949 — CyberPanel 2.1 contains a command execution vulnerability that allows authenticated attackers to read arbitrary files and execute remote code by exploiting symlink attacks...

vulnerabilityCVEhigh-severityarbitrary-file-accesscwe-59
/SCW Vulnerability Desk /HIGH /8.8 /⚑ 5 IOCs /⚙ 3 Sigma

TextPattern CMS RCE (CVE-2021-47943) Allows Authenticated Attackers to Execute Commands

CVE-2021-47943 — TextPattern CMS 4.8.7 contains a remote code execution vulnerability that allows authenticated attackers to execute arbitrary commands by uploading malicious PHP files through...

vulnerabilityCVEhigh-severityremote-code-executioncwe-434
/SCW Vulnerability Desk /HIGH /8.8 /⚑ 4 IOCs /⚙ 3 Sigma