CVE-2026-49490

OpenCATS from version 0.9.1a contains an SQL injection vulnerability in DataGrid filter handling that allows authenticated attackers to inject SQL through crafted filters targeting the non-filterable Tags column in the Candidates DataGrid. Attackers can bypass column filterable restrictions by manip...

high 8.1 CVSS 3.1

Published: May 31, 2026

Modified: Jun 1, 2026

Description

OpenCATS from version 0.9.1a contains an SQL injection vulnerability in DataGrid filter handling that allows authenticated attackers to inject SQL through crafted filters targeting the non-filterable Tags column in the Candidates DataGrid. Attackers can bypass column filterable restrictions by manipulating filter requests to execute arbitrary SQL queries against the database.

References

https://github.com/opencats/OpenCATS/security/advisories/GHSA-gmpc-j6h7-vw74
https://www.vulncheck.com/advisories/opencats-sql-injection-in-datagrid-filter-handling-for-tags-column

Version	3.1
Score	8.1 / 10
Severity	high