CVE-2026-49490
HIGHOpenCATS - SQL Injection in DataGrid Filter Handling for Tags Column
Title source: cnaDescription
OpenCATS from version 0.9.1a contains an SQL injection vulnerability in DataGrid filter handling that allows authenticated attackers to inject SQL through crafted filters targeting the non-filterable Tags column in the Candidates DataGrid. Attackers can bypass column filterable restrictions by manipulating filter requests to execute arbitrary SQL queries against the database.
References (2)
Core 2
Core References
Vendor Advisory vendor-advisory
GHSA Advisory GHSA-gmpc-j6h7-vw74
https://github.com/opencats/OpenCATS/security/advisories/GHSA-gmpc-j6h7-vw74
Third Party Advisory third-party-advisory
VulnCheck Advisory: OpenCATS - SQL Injection in DataGrid Filter Handling for Tags Column
https://www.vulncheck.com/advisories/opencats-sql-injection-in-datagrid-filter-handling-for-tags-column
Scores
CVSS v3
8.1
EPSS
0.0025
EPSS Percentile
15.9%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-89
Status
published
Products (1)
OpenCATS/OpenCATS
< 0.9.1a
Published
May 31, 2026
Tracked Since
May 31, 2026