← back
CVE-2026-49489

OpenCATS - SQL Injection in DataGrid sortDirection Parameter

CVSS 8.4 HIGHEPSS 0.3%CWE-89
OpenCATS through 0.9.7.4 contains a sql injection vulnerability in the sortDirection parameter of the DataGrid component that allows authenticated users to extract database contents. Attackers can inject malicious SQL via the sortDirection parameter in ajax/getDataGridPager.php to perform time-based blind injection attacks and read sensitive data.
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:H/SI:N/SA:L
Affected products
OpenCATS · OpenCATS
public PoCs found2
cve_referencepacketstorm.news/files/id/222200/unverifiedcve_referencewww.exploit-db.com/exploits/52579unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://github.com/opencats/OpenCATS/security/advisories/GHSA-8mc8-5gw6-c7w4https://packetstorm.news/files/id/222200/https://www.exploit-db.com/exploits/52579https://www.vulncheck.com/advisories/opencats-sql-injection-in-datagrid-sortdirection-parameter