CVE-2021-47936

CRITICAL 9.8

OpenCATS 0.9.4 Remote Code Execution via Resume Upload

CVSS Score

9.8

EPSS Score

0.2%

EPSS Percentile

45th

OpenCATS 0.9.4 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary commands by uploading malicious PHP files disguised as resume attachments. Attackers can upload PHP payloads through the careers job application endpoint and execute system commands via POST requests to the uploaded file in the upload directory.

CWE	CWE-306
Vendor	opencats
Product	opencats
Published	May 10, 2026
Last Updated	May 11, 2026

Stay Ahead of the Next One

Get instant alerts for opencats opencats

Be the first to know when new critical vulnerabilities affecting opencats opencats are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

Opencats / OpenCATS

0 ≤ 0.9.4

References

NVD ↗ CVE.org ↗ EPSS Data ↗

exploit-db.com: https://www.exploit-db.com/exploits/50585 opencats.org: https://www.opencats.org/ github.com: https://github.com/opencats/OpenCATS vulncheck.com: https://www.vulncheck.com/advisories/opencats-remote-code-execution-via-resume-upload

Credits

Nicholas Ferreira - https://github.com/Nickguitar