How is CVE-2026-49489 exploited?

Network reachability (required): The vulnerable endpoint (ajax/getDataGridPager.php) is served over HTTP/HTTPS, so the attacker must be able to reach the OpenCATS service across the network. Authentication (required): Any low-privilege authenticated account is sufficient; no administrative role is needed to reach the vulnerable parameter. Victim interaction (not-required): The attacker sends a crafted HTTP request directly to the endpoint; no user action or social engineering is needed. Attack complexity (info): Exploitation is reliable and condition-free: the injection requires no race conditions, memory layout knowledge, or special environmental setup beyond network access and a valid session.

What is the impact of CVE-2026-49489?

Reads full database contents via time-based blind SQL injection, including stored candidate profiles, resumes, contact details, and internal HR notes. Extracts application user records including usernames and hashed or plaintext passwords, enabling credential reuse attacks against other systems. Causes measurable latency degradation on the database host due to repeated time-delay payloads, partially disrupting availability of the OpenCATS instance during an active attack. Reaches data held in subsidiary or linked database schemas if the OpenCATS database user has cross-schema SELECT privileges.

Back to search

HIGHCVE-2026-49489Published 2026-05-31Modified 2026-05-31CNA VulnCheck

CVE-2026-49489: OpenCATS - SQL Injection in DataGrid sortDirection Parameter

OpenCATS through 0.9.7.4 contains a sql injection vulnerability in the sortDirection parameter of the DataGrid component that allows authenticated users to extract database contents. Attackers can inject malicious SQL via the sortDirection parameter in ajax/getDataGridPager.php to perform time-based blind injection attacks and read sensitive data.

HarborGuard Analysis

HarborGuard analysis

Synopsis

SQL injection in OpenCATS, an open-source applicant tracking system, affects the sortDirection parameter of the DataGrid component in versions through 0.9.7.4. The vulnerability is reachable over the network by any authenticated user and exploits unsanitized input passed to ajax/getDataGridPager.php to perform time-based blind SQL injection. Successful exploitation allows an attacker to read the full contents of the underlying database, including candidate records, user credentials, and other stored data. HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as an upstream fix is published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images derived from OpenCATS base layers. Any image carrying an affected OpenCATS version (0.9.7.4 or earlier) is flagged automatically in both registry scans and CI pipeline checks.

Available

Triage

HarborGuard scores this issue at CVSS 8.4 (HIGH) using the upstream v4.0 vector and can weight that score further against each customer org's compliance policy (for example, elevating priority for environments tagged as handling PII or HR data). Findings are routed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

No fix version has been published upstream for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream maintainers ship a corrected release. For customers with auto-remediation enabled, that rebuild will trigger a regression test run and a PR opened against affected workloads without manual intervention.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint (ajax/getDataGridPager.php) is served over HTTP/HTTPS, so the attacker must be able to reach the OpenCATS service across the network.
AuthenticationRequired
Any low-privilege authenticated account is sufficient; no administrative role is needed to reach the vulnerable parameter.
Victim interactionNot required
The attacker sends a crafted HTTP request directly to the endpoint; no user action or social engineering is needed.
Attack complexityDetail
Exploitation is reliable and condition-free: the injection requires no race conditions, memory layout knowledge, or special environmental setup beyond network access and a valid session.

Blast Radius

Reads full database contents via time-based blind SQL injection, including stored candidate profiles, resumes, contact details, and internal HR notes.
Extracts application user records including usernames and hashed or plaintext passwords, enabling credential reuse attacks against other systems.
Causes measurable latency degradation on the database host due to repeated time-delay payloads, partially disrupting availability of the OpenCATS instance during an active attack.
Reaches data held in subsidiary or linked database schemas if the OpenCATS database user has cross-schema SELECT privileges.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for CVE-2026-49489, HarborGuard continuously monitors the OpenCATS advisory and will make a patched-image rebuild available the moment a corrected version is released. In the interim, customers can apply compensating controls through HarborGuard policy rules: network-policy isolation to restrict which internal hosts can reach the OpenCATS service, egress filtering to limit outbound database connections to trusted consumers only, and runtime policy alerts on unexpected query-volume spikes from the application container. For customers with auto-remediation enabled, the patched rebuild will trigger automatically on the next ingest cycle after an upstream fix is published, followed by a regression test run and a PR opened against affected workloads. Customers who need to track SLA exposure for this HIGH-severity finding can pin a custom compliance policy weight in HarborGuard to ensure the finding routes to the correct team inbox without delay.

See how HarborGuard automates this

CVSS v4.0: 8.4
Severity: HIGH
Fixed in: —
Affected Products: 1

Affected packages

OpenCATS / OpenCATS
≤ 0.9.7.4

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:L/SC:H/SI:N/SA:L

References