External risk intelligence

OpenCATS installer lets attackers run any code on your systems

CVE advisorySeverity: CRITICAL (CVSS 9.2)

CVE-2026-27760

An external attacker can exploit an unconfigured OpenCATS installation to gain full control of the underlying server. This exposes the business to potential system compromise and unauthorized access to sensitive data.

2Halo Surface Signal

Code Injection

External exposure likelihood

Halo Surface Signal score for CVE-2026-27760

The vulnerability exists within the application's installer interface, which is meant to be completed, disabled, or restricted immediately following deployment. While the host application may be web-accessible, leaving the installation wizard active and reachable is an insecure, non-standard configuration rather than a common or intended deployment pattern for this software.

CVSS vector

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Horizon Alert

Summary of the vulnerability and why it matters

This vulnerability in OpenCATS allows an unauthenticated attacker to execute arbitrary code on the system. The issue lies within the installer's AJAX endpoint, where specially crafted input can lead to PHP code injection. This means that if the installation wizard is still active, an attacker could potentially compromise the entire server.

  • Unauthenticated code execution
  • Affects OpenCATS installer
  • Allows persistent code injection

Attack Path

How an attacker could exploit the issue

Unauthenticated attackers can exploit this vulnerability by sending a crafted request to the installer AJAX endpoint. This allows them to inject malicious PHP code that will execute every time a page is loaded, effectively achieving persistent remote code execution. The exploit relies on the installation wizard remaining incomplete.

  • Unauthenticated access required.
  • Target: Installer AJAX endpoint.
  • Precondition: Incomplete installation wizard.

Live Threat

Current exploitation, exposure, and threat context

Attackers may find this vulnerability appealing due to the unauthenticated remote code execution. However, the specific context of the installer endpoint, which should ideally be removed or secured post-installation, might limit its practical exploitation in live environments. The persistence of the code injection until installation is complete presents a narrow window for exploitation.

  • Exploitation confined to installer.
  • No public exploit code observed.
  • Persistence limited by installation status.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize isolating or taking offline any OpenCATS instances that still have the installer accessible, as this vulnerability allows unauthenticated code execution. Monitor actively for any signs of the installer being accessed or unusual file modifications on affected systems. If the installer cannot be immediately removed, implement strict network access controls to prevent external access.

  • Block network access to installer.
  • Remove or disable installer endpoint.
  • Monitor for installer access attempts.

Frequently asked questions

What is OpenCATS and what is it used for?

OpenCATS is an open-source applicant tracking system (ATS) used by staffing and recruiting agencies to manage job openings, candidates, and client information. It helps streamline the hiring process by centralizing data and communication.

What type of vulnerability does CVE-2026-27760 represent?

CVE-2026-27760 is a PHP code injection vulnerability. This weakness, categorized as CWE-94, allows attackers to insert and execute arbitrary PHP code within the application, potentially leading to a compromise of the system.

How can an attacker exploit this CVE-2026-27760 vulnerability?

An attacker can exploit this by sending a specially crafted request to the installer's AJAX endpoint. This input can inject PHP statements into the database connectivity settings. The vulnerability is only triggered if the installation wizard remains incomplete, allowing the injected code to execute on subsequent page loads.

Who should be concerned about CVE-2026-27760 based on its exposure?

Organizations running OpenCATS should be concerned if their installation wizard is accessible. While the vulnerability itself is network-addressable, the context of the installer being active and reachable is often temporary and not a standard deployment pattern, making the risk less likely to be internet-facing in typical scenarios.

What is the first step to address CVE-2026-27760?

The immediate first step is to ensure that the OpenCATS installer is no longer accessible. This could involve completing the installation, disabling the installer, or restricting network access to it to prevent any potential exploitation.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished