OpenCATS SQL Injection (CVE-2026-49489) Allows Database Content Extraction
The National Vulnerability Database has detailed CVE-2026-49489, a high-severity SQL injection vulnerability impacting OpenCATS through version 0.9.7.4. This flaw resides within the sortDirection parameter of the DataGrid component, specifically in ajax/getDataGridPager.php.
Authenticated users can exploit this vulnerability to perform time-based blind SQL injection attacks. The core impact is the ability to extract sensitive database contents, posing a significant risk to data confidentiality. The National Vulnerability Database assigns a CVSS score of 8.5 (High), underscoring the severity of this issue.
This isn’t a theoretical concern; it’s a direct path to sensitive data for anyone with valid credentials. Defenders need to recognize that ‘authenticated’ doesn’t mean ‘safe.’ It means an attacker has cleared the first hurdle and is now leveraging a critical application flaw to pivot deeper into your data stores. The attacker’s calculus here is simple: gain a foothold, then leverage application logic flaws to exfiltrate.
What This Means For You
- If your organization uses OpenCATS, immediately check your version and apply any available patches or mitigations for CVE-2026-49489. Audit logs for suspicious activity around the `ajax/getDataGridPager.php` endpoint, especially for unusual `sortDirection` parameter values. This is a clear data exfiltration risk that needs urgent attention.
Related ATT&CK Techniques
🛡️ Detection Rules
5 rules · 6 SIEM formats5 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
Web Application Exploitation Attempt — CVE-2026-49489
title: Web Application Exploitation Attempt — CVE-2026-49489
id: scw-2026-05-31-1
status: experimental
level: high
description: |
Detects common exploitation patterns targeting web applications. Review CVE-2026-49489 advisories for specific indicators.
author: SCW Feed Engine (auto-generated)
date: 2026-05-31
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-49489/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri-query|contains:
- '..'
- 'SELECT'
- 'UNION'
- '<script'
- 'cmd='
- '/etc/passwd'
condition: selection
falsepositives:
- Legitimate activity from CVE-2026-49489
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-49489 | SQLi | OpenCATS through 0.9.7.4 |
| CVE-2026-49489 | SQLi | sortDirection parameter |
| CVE-2026-49489 | SQLi | DataGrid component |
| CVE-2026-49489 | SQLi | ajax/getDataGridPager.php |
| CVE-2026-49489 | SQLi | time-based blind injection attacks |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 31, 2026 at 16:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-48209: OTRS XSS Exposes Agent Sessions to Attackers
CVE-2026-48209 — An improper neutralization of user-controllable input in OTRS or ((OTRS)) Community Edition ticket handling allows authenticated attackers to perform reflected cross-site scripting (XSS)...
CVE-2026-48208 — Denial of Service
CVE-2026-48208 — An improper neutralization of active SVG content in OTRS or ((OTRS)) Community Edition ticket article rendering allows attackers to inject specially crafted SVG...
CVE-2026-48189 — OTRS Customer Backend Module Vulnerability
CVE-2026-48189 — An improper Input Validation vulnerability in OTRS Customer Backend module allows to access customer information which are restricted to other groups. Please note...