Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.3
CVE-2021-47936: OpenCATS 0.9.4 allows attackers to run malicious code remotely
CVE-2021-47936
Summary
An attacker can upload a malicious file to OpenCATS, pretending it's a resume, and then execute system commands without needing a password. This could allow an attacker to access sensitive information or take control of the server. To protect your system, update to a newer version of OpenCATS or apply security patches.
Original title
OpenCATS 0.9.4 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary commands by uploading malicious PHP files disguised as resume attachments. A...
Original description
OpenCATS 0.9.4 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary commands by uploading malicious PHP files disguised as resume attachments. Attackers can upload PHP payloads through the careers job application endpoint and execute system commands via POST requests to the uploaded file in the upload directory.
nvd CVSS3.1
9.8
nvd CVSS4.0
9.3
Vulnerability type
CWE-306
Missing Authentication for Critical Function
Published: 10 May 2026 · Updated: 28 May 2026 · First seen: 10 May 2026