Cyber Posture

CVE-2026-27760

HighPublic PoC

Published: 28 April 2026

Published
28 April 2026
Modified
28 April 2026
KEV Added
Patch
CVSS Score 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0013 31.7th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

OpenCATS prior to commit 3002a29 contains a PHP code injection vulnerability in the installer AJAX endpoint that allows unauthenticated attackers to execute arbitrary code by injecting PHP statements into the databaseConnectivity action parameter. Attackers can break out of the define()…

more

string context in config.php using a single quote and statement separator to inject malicious PHP code that persists and executes on every subsequent page load when the installation wizard remains incomplete.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

SI-10 mandates information input validation at entry points like the installer AJAX endpoint, directly preventing PHP code injection via unsanitized databaseConnectivity parameters.

SI-2 Flaw Remediation good match
prevent

SI-2 requires timely identification, reporting, and correction of flaws, enabling patching to commit 3002a29 that fixes the injection in ui.php and CATSUtility.php.

SI-7 Software, Firmware, and Information Integrity partial match
preventdetect

SI-7 enforces integrity verification of software and configuration files like config.php, detecting persistent malicious code injections and preventing unauthorized execution.

Security SummaryAI

CVE-2026-27760 is a PHP code injection vulnerability (CWE-94) affecting OpenCATS prior to commit 3002a29. The flaw resides in the installer AJAX endpoint, specifically the databaseConnectivity action parameter, where user input is insufficiently sanitized. This allows attackers to inject arbitrary PHP statements that break out of a define() string context in config.php using a single quote and statement separator, resulting in persistent malicious code execution.

Unauthenticated attackers (PR:N) can exploit this over the network (AV:N) by sending crafted requests to the installer endpoint during an incomplete installation process. Successful exploitation leads to arbitrary code execution (C:H/I:H/A:H) that persists in config.php and triggers on every subsequent page load, with a CVSS v3.1 base score of 8.1 due to high attack complexity (AC:H).

Mitigation is available via commit 3002a29f4c3cada1aa2c4f3d4ae4e189906606b6 and pull request #706 in the OpenCATS GitHub repository, which address the injection in the installer AJAX handler (ui.php) and related utility functions (CATSUtility.php). Security practitioners should update to this commit or later and ensure installations are completed or restricted to trusted environments, as detailed in the advisory at chocapikk.com/posts/2026/opencats-installer-rce/.

Details

CWE(s)
CWE-94

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
attack.mitre.org →
Why these techniques?

CVE enables T1190 via unauthenticated exploitation of the public installer AJAX endpoint; results in persistent PHP code execution in config.php on every page load, directly facilitating T1505.003 web shell deployment.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

References