CVE-2021-47936 | THREATINT

Description

OpenCATS 0.9.4 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary commands by uploading malicious PHP files disguised as resume attachments. Attackers can upload PHP payloads through the careers job application endpoint and execute system commands via POST requests to the uploaded file in the upload directory.

PUBLISHED Reserved 2026-02-01 | Published 2026-05-10 | Updated 2026-05-10 | Assigner VulnCheck

CRITICAL: 9.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CRITICAL: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem types

Missing Authentication for Critical Function

Product status

Any version

affected

Credits

Nicholas Ferreira - https://github.com/Nickguitar finder

References

www.exploit-db.com/exploits/50585 (ExploitDB-50585) exploit

www.opencats.org/ (Official Product Homepage) product

github.com/opencats/OpenCATS (Product Reference) product

www.vulncheck.com/...remote-code-execution-via-resume-upload (VulnCheck Advisory: OpenCATS 0.9.4 Remote Code Execution via Resume Upload) third-party-advisory

cve.org (CVE-2021-47936)

nvd.nist.gov (CVE-2021-47936)

Download JSON