Primary

Context

OpenCATS Remote Code Execution Vulnerability

Vulnerability

Patched

A remote code execution vulnerability exists in OpenCATS version 0.9.4. This vulnerability allows unauthenticated attackers to execute arbitrary commands by uploading malicious PHP files disguised as resume attachments. The exploitation occurs through the careers job application endpoint, where uploaded PHP payloads can be executed via POST requests to the uploaded file in the upload directory.

Impact

Exploitation of this vulnerability allows for remote code execution on the server where OpenCATS is hosted.

Reproduction

To reproduce this vulnerability, upload a PHP file disguised as a resume attachment through the careers job application endpoint. Once the file is uploaded, execute system commands by sending POST requests to the uploaded file in the upload directory.

Added: May 10, 2026, 1:36 PM

Updated: May 10, 2026, 1:36 PM

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

7.5

exploitability

9.7

remediation

7.7

relevance

7.9

threat

6.4

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.4

impact

7.5

exploitability

9.7

remediation

7.7

relevance

7.9

threat

6.4

urgency

2.9

incentive

8.3

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

OpenCATS Remote Code Execution Vulnerability

Vulnerability

Impact

Reproduction

Affected Products

OpenCATS

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating