Cyber Resilience

CVE-2026-27760

CriticalPublic PoCRCE

Published: 28 April 2026

Published
28 April 2026
Modified
28 April 2026
KEV Added
Patch
CVSS Score v4 9.2 CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.2219 97.4th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-27760 is a critical-severity Code Injection (CWE-94) vulnerability in Chocapikk (inferred from references). Its CVSS base score is 9.2 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 2.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-27760 is a PHP code injection vulnerability (CWE-94) affecting OpenCATS prior to commit 3002a29. The flaw resides in the installer AJAX endpoint, specifically the databaseConnectivity action parameter, where user input is insufficiently sanitized. This allows attackers to inject arbitrary PHP statements that break out of a define() string context in config.php using a single quote and statement separator, resulting in persistent malicious code execution.

Unauthenticated attackers (PR:N) can exploit this over the network (AV:N) by sending crafted requests to the installer endpoint during an incomplete installation process. Successful exploitation leads to arbitrary code execution (C:H/I:H/A:H) that persists in config.php and triggers on every subsequent page load, with a CVSS v3.1 base score of 8.1 due to high attack complexity (AC:H).

Mitigation is available via commit 3002a29f4c3cada1aa2c4f3d4ae4e189906606b6 and pull request #706 in the OpenCATS GitHub repository, which address the injection in the installer AJAX handler (ui.php) and related utility functions (CATSUtility.php). Security practitioners should update to this commit or later and ensure installations are completed or restricted to trusted environments, as detailed in the advisory at chocapikk.com/posts/2026/opencats-installer-rce/.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

OpenCATS prior to commit 3002a29 contains a PHP code injection vulnerability in the installer AJAX endpoint that allows unauthenticated attackers to execute arbitrary code by injecting PHP statements into the databaseConnectivity action parameter. Attackers can break out of the define()…

more

string context in config.php using a single quote and statement separator to inject malicious PHP code that persists and executes on every subsequent page load when the installation wizard remains incomplete.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1505.003 Web Shell Persistence
Adversaries may backdoor web servers with web shells to establish persistent access to systems.
Why these techniques?

CVE enables T1190 via unauthenticated exploitation of the public installer AJAX endpoint; results in persistent PHP code execution in config.php on every page load, directly facilitating T1505.003 web shell deployment.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-30117Shared CWE-94
CVE-2024-54724Shared CWE-94
CVE-2026-32367Shared CWE-94
CVE-2026-27044Shared CWE-94
CVE-2025-66224Shared CWE-94
CVE-2026-2296Shared CWE-94
CVE-2025-52744Shared CWE-94
CVE-2026-42607Shared CWE-94
CVE-2024-13890Shared CWE-94
CVE-2021-47778Shared CWE-94

Affected Assets

Chocapikk
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 mandates information input validation at entry points like the installer AJAX endpoint, directly preventing PHP code injection via unsanitized databaseConnectivity parameters.

prevent

SI-2 requires timely identification, reporting, and correction of flaws, enabling patching to commit 3002a29 that fixes the injection in ui.php and CATSUtility.php.

preventdetect

SI-7 enforces integrity verification of software and configuration files like config.php, detecting persistent malicious code injections and preventing unauthorized execution.

References