CVE-2026-49489: OpenCATS SQL Injection in DataGrid sortDirection Parameter
OpenCATS, a recruitment and applicant tracking software, contains a SQL injection flaw in its data grid sorting feature. An authenticated user can manipulate the sortDirection parameter to inject malicious SQL commands, allowing them to extract sensitive information from the application's database. The vulnerability requires valid login credentials but poses significant risk because attacker queries execute without user interaction and can retrieve confidential candidate, recruiter, and business data.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L
- Weaknesses (CWE)
- CWE-89
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-31 / 2026-06-17
NVD description (verbatim)
OpenCATS through 0.9.7.4 contains a sql injection vulnerability in the sortDirection parameter of the DataGrid component that allows authenticated users to extract database contents. Attackers can inject malicious SQL via the sortDirection parameter in ajax/getDataGridPager.php to perform time-based blind injection attacks and read sensitive data.
4 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-49489 is a SQL injection vulnerability located in the DataGrid component's sortDirection parameter within ajax/getDataGridPager.php. The parameter fails to properly validate or sanitize user input before constructing SQL queries. An authenticated attacker can leverage time-based blind SQL injection techniques to exfiltrate database contents without triggering immediate errors. The vulnerability affects OpenCATS versions through 0.9.7.4 and requires valid application credentials to exploit.
Business impact
Organizations using OpenCATS to manage recruitment workflows face exposure of sensitive applicant data, including personal information, employment history, and internal hiring assessments. A compromised database could leak competitive intelligence about hiring practices, candidate pipelines, and organizational structure. If candidate data is exposed, organizations may face regulatory compliance violations (GDPR, CCPA) and reputational damage. The threat is elevated because ATS systems are prime targets for corporate espionage and insider threats.
Affected systems
OpenCATS through version 0.9.7.4 is affected. Organizations should verify their installed version in the application settings or by checking the release history. Only authenticated users can execute the attack, meaning the risk is primarily from internal users or attackers who have obtained valid credentials through phishing, credential stuffing, or social engineering.
Exploitability
The vulnerability requires authentication, which reduces the pool of potential attackers but does not eliminate the risk. Malicious insiders, contractors, or users whose credentials are compromised pose a credible threat. The attack is not visible to end-users and can be executed programmatically via API calls to ajax/getDataGridPager.php, making it attractive for large-scale data theft. No user interaction is required once an attacker has valid credentials.
Remediation
Immediate steps include upgrading OpenCATS to a patched version released after 0.9.7.4 (verify against the vendor advisory). As an interim measure, restrict access to the DataGrid sorting feature via web application firewall rules or network segmentation, monitor authentication logs for suspicious activity, and implement principle of least privilege for database accounts. Apply input validation and parameterized queries across the codebase to prevent SQL injection.
Patch guidance
Contact the OpenCATS project or check official release repositories for patched versions beyond 0.9.7.4. If you maintain OpenCATS internally, apply code review and security testing to confirm SQL injection is resolved in the sortDirection parameter. Test the patch in a staging environment before production deployment, focusing on data grid sorting functionality and API endpoint behavior.
Detection guidance
Monitor ajax/getDataGridPager.php access logs for unusual sortDirection parameter values containing SQL syntax (keywords like UNION, SELECT, SLEEP, BENCHMARK). Implement database query logging to detect anomalous SELECT statements originating from the application layer. Alert on authentication followed by multiple failed or time-delayed API requests. Use Web Application Firewall (WAF) rules to block common SQL injection payloads in the sortDirection parameter.
Why prioritize this
Despite requiring authentication, this vulnerability merits urgent patching because ATS systems store highly sensitive personal and business data. The HIGH CVSS score reflects the broad impact scope and high confidentiality exposure. The time-based blind injection technique allows attackers to systematically extract data without detection. Combined with the prevalence of credential compromise in enterprise environments, this represents a material risk to data privacy and regulatory compliance.
Risk score, explained
The CVSS 3.1 score of 8.5 (HIGH) reflects: network-accessible attack vector (AV:N), low attack complexity (AC:L), requirement for low privileges/authentication (PR:L), no user interaction needed (UI:N), scope change to other systems (S:C indicating potential cross-system impact), high confidentiality impact (C:H), no integrity impact (I:N), and low availability impact (A:L). The score appropriately captures the serious data exfiltration risk despite the authentication requirement.
Frequently asked questions
Does this vulnerability require the attacker to be an administrator?
No. The vulnerability requires only valid user credentials at any privilege level. Standard users, recruiters, or HR staff accounts can be leveraged. This makes it attractive to insiders or attackers who compromise low-privilege accounts.
Can this be exploited from outside our network?
Yes. The attack vector is network-accessible (AV:N), so any authenticated user connecting remotely—whether employee, contractor, or compromised account—can execute SQL injection via the ajax/getDataGridPager.php endpoint.
What data is at immediate risk?
Any data in the OpenCATS database is at risk: candidate profiles, resumes, assessment scores, recruiter notes, company hiring strategies, and associated metadata. Time-based blind injection allows systematic extraction of entire tables over time.
Is there a workaround if we cannot patch immediately?
Partial mitigations include restricting network access to the DataGrid API via firewall rules, implementing strict input validation at the WAF level, enforcing multi-factor authentication, and monitoring for SQL injection signatures. However, these are not substitutes for patching.
This analysis is provided for informational purposes. SEC.co makes no warranty regarding accuracy, completeness, or fitness for specific use. Organizations should independently verify affected product versions, test patches in staging environments, and consult vendor advisories before deployment. Vulnerability timelines and patch availability may change. Always follow your organization's change management and security testing procedures. Source: NVD (public-domain), retrieved 2026-07-08. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2018-25382HIGHZechat 1.5 SQL Injection Vulnerability – Unauthenticated Database Access
- CVE-2018-25385HIGHUnauthenticated SQL Injection in E-Registrasi Pencak Silat 18.10
- CVE-2018-25386HIGHSQL Injection in HaPe PKH 1.1 Admin Interface
- CVE-2018-25389HIGHSQL Injection in HaPe PKH 1.1 Database Extraction
- CVE-2018-25390HIGHUnauthenticated SQL Injection in HaPe PKH 1.1
- CVE-2018-25392HIGHSQL Injection in MaxOn ERP Software 8.x-9.x
- CVE-2018-25394HIGHSQL Injection in Kados R10 GreenBee Unauthenticated Remote Database Access
- CVE-2018-25395HIGHKados R10 GreenBee SQL Injection Vulnerability – Unauthenticated Database Access