PHP Code Injection Vulnerability in OpenCATS Installer by OpenCATS
CVE-2026-27760

9.2CRITICAL

Key Information:

Vendor

Opencats

Status
Opencats
Vendor
CVE Published:
28 April 2026

Badges

๐Ÿ‘พ Exploit Exists๐ŸŸก Public PoC

What is CVE-2026-27760?

OpenCATS, prior to commit 3002a29, is vulnerable to a PHP code injection issue that affects the installer AJAX endpoint. This vulnerability allows unauthenticated attackers to inject malicious PHP code through the databaseConnectivity action parameter. By exploiting the vulnerability, attackers can break out of the define() string context in config.php using a single quote and a statement separator, enabling them to execute arbitrary code that persists across subsequent page loads as long as the installation wizard remains incomplete.

Affected Version(s)

OpenCATS 0 <= 0.9.7.4

OpenCATS 3002a29f4c3cada1aa2c4f3d4ae4e189906606b6

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-27760 - Proof of Concept

References

https://chocapikk.com/posts/2026/opencats-installer-rce/
technical-descriptionexploit
https://github.com/opencats/OpenCATS/pull/706
issue-tracking
https://github.com/opencats/OpenCATS/commit/3002a29f4c3ca...
patch

CVSS V4

Score:
9.2
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • ๐ŸŸก

    Public PoC available

  • ๐Ÿ‘พ

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Valentin Lobstein (Chocapikk)
VulnCheck
.