OpenCATS Installer Vulnerability Allows Unauthenticated PHP Code Injection
The National Vulnerability Database has detailed CVE-2026-27760, a critical PHP code injection flaw in OpenCATS prior to commit 3002a29. This vulnerability resides within the installer’s AJAX endpoint, allowing unauthenticated attackers to execute arbitrary code. The issue stems from insufficient input validation in the databaseConnectivity action parameter, where attackers can inject malicious PHP statements.
Attackers can escape the define() string context in config.php using a single quote and statement separator. This enables them to inject persistent PHP code that executes on every subsequent page load, provided the installation wizard remains incomplete. With a CVSS score of 8.1 (HIGH), this vulnerability poses a significant risk for systems where the OpenCATS installation process has not been fully completed or secured.
The high CVSS vector CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H indicates that exploitation requires no authentication, has high impact on confidentiality, integrity, and availability, and can be executed over the network. The attack complexity is rated as high, but the potential for unauthenticated remote code execution makes this a severe threat for affected OpenCATS instances.
What This Means For You
- If your organization uses OpenCATS, immediately verify that the installation process is fully complete and secured. If the installation wizard is still active or incomplete, your system is vulnerable to CVE-2026-27760. Patch to commit 3002a29 or later to mitigate this unauthenticated PHP code injection risk.
Related ATT&CK Techniques
🛡️ Detection Rules
2 rules · 6 SIEM formats2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-27760 - OpenCATS Installer PHP Code Injection
title: CVE-2026-27760 - OpenCATS Installer PHP Code Injection
id: scw-2026-04-28-ai-1
status: experimental
level: critical
description: |
Detects the specific exploit pattern for CVE-2026-27760 by looking for requests to the OpenCATS installer endpoint '/install/index.php' with a 'databaseConnectivity' action and a malformed 'dbHost' parameter containing a single quote, indicative of an attempt to inject PHP code.
author: SCW Feed Engine (AI-generated)
date: 2026-04-28
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-27760/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/install/index.php'
cs-uri-query|contains:
- "databaseConnectivity&dbHost='"
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-27760 | Code Injection | OpenCATS installer AJAX endpoint |
| CVE-2026-27760 | RCE | OpenCATS prior to commit 3002a29 |
| CVE-2026-27760 | Code Injection | PHP code injection via databaseConnectivity action parameter |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 28, 2026 at 18:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2025-60887 — Cista Insecure Deserialization
CVE-2025-60887 — An issue was discovered in Cista v0.15 and below. Insecure deserialization of untrusted input under certain conditions may lead to leaking of stack/heap...
Firefox ESR Sandbox Escape: Critical CVE-2026-7321 Demands Immediate Attention
CVE-2026-7321 — Sandbox escape due to incorrect boundary conditions in the WebRTC: Networking component. This vulnerability was fixed in Firefox ESR 140.10.1.
D-Link DIR-825M Buffer Overflow (CVE-2026-7289) Exposes Routers
CVE-2026-7289 — A vulnerability was found in D-Link DIR-825M 1.1.12. This issue affects the function sub_414BA8 of the file /boafrm/formWanConfigSetup. The manipulation of the argument...