CVE-2026-27760

Name of the Vulnerable Software and Affected Versions OpenCATS versions prior to commit 3002a29

Description An unauthenticated PHP code injection issue exists in the installer AJAX endpoint. This allows attackers to execute arbitrary code by injecting PHP statements into the databaseConnectivity action parameter. By using a single quote and statement separator, an attacker can break out of the define() string context in the config.php file. The injected malicious code persists and executes on every subsequent page load as long as the installation wizard remains incomplete.

Recommendations Update to commit 3002a29 or a newer version.