CVE-2026-49489

Description

OpenCATS through 0.9.7.4 contains a sql injection vulnerability in the sortDirection parameter of the DataGrid component that allows authenticated users to extract database contents. Attackers can inject malicious SQL via the sortDirection parameter in ajax/getDataGridPager.php to perform time-based blind injection attacks and read sensitive data.

PUBLISHED Reserved 2026-05-31 | Published 2026-05-31 | Updated 2026-06-01 | Assigner VulnCheck

Problem types

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

Product status

Credits

Texuguinho1234 reporter

References

github.com/...enCATS/security/advisories/GHSA-8mc8-5gw6-c7w4 (GHSA Advisory GHSA-8mc8-5gw6-c7w4) vendor-advisory

packetstorm.news/files/id/222200/ (Packet Storm Advisory) exploit

www.exploit-db.com/exploits/52579 (Exploit DB Advisory) exploit

www.vulncheck.com/...ion-in-datagrid-sortdirection-parameter (VulnCheck Advisory: OpenCATS - SQL Injection in DataGrid sortDirection Parameter) third-party-advisory

cve.org (CVE-2026-49489)

nvd.nist.gov (CVE-2026-49489)

Download JSON