CVE-2026-49490: SQL Injection in OpenCATS DataGrid Filter
OpenCATS, a recruitment applicant tracking system, contains an SQL injection flaw affecting versions from 0.9.1a onward. An attacker with valid login credentials can craft malicious filter requests in the Candidates DataGrid to bypass security controls and inject SQL commands into the database. The vulnerability specifically exploits the Tags column, which is marked as non-filterable but can be targeted through specially crafted requests. Once injected, attackers can read, modify, or delete sensitive candidate and company data stored in the database.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.1 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
- Weaknesses (CWE)
- CWE-89
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-05-31 / 2026-06-17
NVD description (verbatim)
OpenCATS from version 0.9.1a contains an SQL injection vulnerability in DataGrid filter handling that allows authenticated attackers to inject SQL through crafted filters targeting the non-filterable Tags column in the Candidates DataGrid. Attackers can bypass column filterable restrictions by manipulating filter requests to execute arbitrary SQL queries against the database.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-49490 is an authenticated SQL injection vulnerability in OpenCATS's DataGrid filter mechanism. The application fails to properly validate and sanitize filter parameters before incorporating them into SQL queries. Specifically, the Tags column in the Candidates DataGrid is configured as non-filterable but lacks server-side enforcement. An attacker can manipulate filter request payloads to target this column and inject arbitrary SQL. The vulnerability arises from insufficient input validation combined with inadequate separation between client-side UI restrictions and server-side query construction. The CVSS 3.1 score of 8.1 (HIGH) reflects high confidentiality and integrity impact with network accessibility and low attack complexity, though the requirement for prior authentication (PR:L) prevents a critical rating.
Business impact
For organizations deploying OpenCATS for recruitment workflows, this vulnerability poses a direct threat to candidate privacy and data confidentiality. Attackers with employee accounts—whether legitimate staff or compromised credentials—can extract personally identifiable information, contact details, salary histories, and assessment scores. Beyond privacy breach liabilities, attackers could alter candidate records to manipulate hiring decisions, delete applications to obstruct audits, or modify interview notes. Reputational damage from a recruitment database compromise could harm both the hiring organization and OpenCATS's reputation. The threat is amplified in multi-tenant or cloud-hosted deployments where one compromised account could affect multiple client databases.
Affected systems
OpenCATS version 0.9.1a and later versions remain vulnerable unless patched. The vulnerability is present in the Candidates DataGrid filter component, though the underlying mechanism affects any DataGrid using the same filter processing logic. Organizations should verify the exact version deployed in their environment. No information suggests earlier versions (prior to 0.9.1a) are affected. Instances hosted on-premises and in cloud environments are equally at risk.
Exploitability
While exploitation requires valid authentication credentials, the barrier is moderate rather than high. Many organizations grant broad access to recruitment staff, contractors, or temporary users. Compromised credentials from phishing, credential stuffing, or insider threats lower the effective barrier. The attack itself is straightforward: an authenticated user crafts filter payloads via the web interface or API, no special tools or deep system knowledge required. Proof-of-concept development is relatively simple given SQL injection's well-established exploitation patterns. The vulnerability is not currently tracked in the CISA Known Exploited Vulnerabilities (KEV) catalog, suggesting limited public weaponization to date, though this does not indicate low real-world risk.
Remediation
Immediate action should focus on applying available security patches from OpenCATS. Organizations should verify patch availability and deployment timelines with the vendor. Interim mitigations include restricting DataGrid filter access through role-based controls, disabling filter functionality if not business-critical, and implementing database-level access controls to limit damage from SQL injection. Enhanced monitoring of filter requests and database query logs can detect exploitation attempts. Organizations should audit recent filter usage logs to identify suspicious activity patterns. For high-risk environments, consider temporary workflow adjustments to reduce reliance on the Candidates DataGrid until patches are deployed.
Patch guidance
Contact OpenCATS support or check the project repository for available patches addressing SQL injection in DataGrid filter handling. Verify patch version numbers against vendor advisories before deployment. Patch testing in non-production environments is essential to ensure compatibility with existing workflows and integrations. Organizations should prioritize patching based on exposure (e.g., externally accessible instances, high-user-count deployments). Once patches are applied, confirm that filter functionality operates as expected and that the Tags column remains non-filterable from the UI.
Detection guidance
Monitor database query logs for SQL injection patterns in filter-related queries, such as UNION-based injections, time-delay payloads, or unusual SQL syntax in filter parameters. Application logs should be reviewed for filter requests targeting the Tags column or containing encoded SQL payloads. Web application firewalls can detect common SQL injection signatures in filter request parameters. Behavioral analysis of user accounts—particularly detection of unusual data queries by users not normally performing analytics—may reveal exploitation. Regular vulnerability scanning of the OpenCATS instance can confirm patch status and identify instances still running vulnerable versions.
Why prioritize this
This vulnerability merits rapid patching because it combines high-impact data access (CVSS 8.1) with relatively low exploitation complexity. The authentication requirement limits scope, but does not meaningfully protect recruitment platforms where user access is distributed. The sensitivity of candidate data—PII, contact information, and assessment results—elevates business risk. The lack of KEV listing suggests a narrow window before weaponized exploits become commonplace. Organizations managing large candidate pipelines or in regulated industries (financial services, healthcare) should prioritize immediately.
Risk score, explained
The CVSS 3.1 score of 8.1 reflects: (1) Network accessibility (AV:N), enabling remote exploitation; (2) Low attack complexity (AC:L), as filter manipulation requires no special conditions; (3) Low privileges required (PR:L), limiting but not eliminating risk; (4) No user interaction (UI:N), allowing silent exploitation; (5) High confidentiality impact (C:H), enabling data theft; (6) High integrity impact (I:H), enabling data modification; (7) No availability impact (A:N), as the attack does not crash services. The score stops short of Critical (9.0+) solely because pre-authentication is required, acknowledging that credential compromise or insider threats remain the true entry point.
Frequently asked questions
Can attackers exploit this vulnerability without valid OpenCATS credentials?
No. The vulnerability requires authenticated access. However, 'authenticated' does not mean high-privilege—any user with DataGrid filter access, including low-level recruitment staff or temporary contractors, can exploit it. Compromised credentials or insider threats substantially lower the barrier in practice.
What data can an attacker access via this SQL injection?
An attacker can read, modify, or delete any data the OpenCATS database user account can access. This typically includes candidate profiles, contact information, application history, assessment scores, interview notes, attachments, and organizational hiring pipeline data. The extent depends on database permissions and data retention policies.
Is there a workaround if patching is delayed?
Temporary mitigations include restricting DataGrid filter access to high-trust users, disabling the filter feature if not essential, implementing database read-only replicas for candidate viewing, and enhancing monitoring for suspicious filter queries. However, these are interim measures; patching is the definitive fix.
How do I know if my OpenCATS instance has been compromised by this vulnerability?
Review database query logs and application logs for unusual filter requests, especially those targeting the Tags column or containing SQL keywords. Check for unauthorized data exports or modifications by staff accounts. Consider engaging a forensic analyst if you suspect exploitation, as attackers may cover their tracks.
This analysis is provided for informational purposes and reflects information available as of the publication date. Vendor patch status, affected versions, and remediation timelines should be verified directly with OpenCATS or the vendor's official advisory. This vulnerability requires authenticated access; organizations should assess credential security as part of their risk mitigation strategy. No exploit code or weaponized proof-of-concept is provided herein. Security teams should conduct internal testing in isolated environments before deploying patches. SEC.co makes no warranty regarding the accuracy or completeness of this analysis; use at your own discretion and consult official vendor guidance for definitive remediation steps. Source: NVD (public-domain), retrieved 2026-07-08. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2018-25382HIGHZechat 1.5 SQL Injection Vulnerability – Unauthenticated Database Access
- CVE-2018-25385HIGHUnauthenticated SQL Injection in E-Registrasi Pencak Silat 18.10
- CVE-2018-25386HIGHSQL Injection in HaPe PKH 1.1 Admin Interface
- CVE-2018-25389HIGHSQL Injection in HaPe PKH 1.1 Database Extraction
- CVE-2018-25390HIGHUnauthenticated SQL Injection in HaPe PKH 1.1
- CVE-2018-25392HIGHSQL Injection in MaxOn ERP Software 8.x-9.x
- CVE-2018-25394HIGHSQL Injection in Kados R10 GreenBee Unauthenticated Remote Database Access
- CVE-2018-25395HIGHKados R10 GreenBee SQL Injection Vulnerability – Unauthenticated Database Access