CVE-2026-49489
OpenCATS - SQL Injection in DataGrid sortDirection Parameter
CVSS Score
8.5
EPSS Score
0.0%
EPSS Percentile
9th
OpenCATS through 0.9.7.4 contains a sql injection vulnerability in the sortDirection parameter of the DataGrid component that allows authenticated users to extract database contents. Attackers can inject malicious SQL via the sortDirection parameter in ajax/getDataGridPager.php to perform time-based blind injection attacks and read sensitive data.
| CWE | CWE-89 |
| Vendor | opencats |
| Product | opencats |
| Published | May 31, 2026 |
| Last Updated | Jun 1, 2026 |
Stay Ahead of the Next One
Get instant alerts for opencats opencats
Be the first to know when new high vulnerabilities affecting opencats opencats are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
None
Availability
Low
Affected Versions
OpenCATS / OpenCATS
0 โค 0.9.7.4
References
github.com: https://github.com/opencats/OpenCATS/security/advisories/GHSA-8mc8-5gw6-c7w4 packetstorm.news: https://packetstorm.news/files/id/222200/ exploit-db.com: https://www.exploit-db.com/exploits/52579 vulncheck.com: https://www.vulncheck.com/advisories/opencats-sql-injection-in-datagrid-sortdirection-parameter
Credits
๐ Texuguinho1234