Description
OpenSTAManager is an open source management software for technical assistance and invoicing. OpenSTAManager v2.9.8 and earlier contain a critical Error-Based SQL Injection vulnerability in the bulk operations handler for the Scadenzario (Payment Schedule) module. The application fails to validate that elements of the id_records array are integers before using them in an SQL IN() clause, allowing attackers to inject arbitrary SQL commands and extract sensitive data through XPATH error messages.
Published: 2026-02-06
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection leading to data exfiltration
Action: Immediate Patch
AI Analysis

Impact

OpenSTAManager v2.9.8 and earlier allow a critical error‑based SQL injection through the bulk operations handler in the Scadenzario module. The code does not enforce integer validation on elements of the id_records array before inserting them into an SQL IN() clause, permitting an attacker to inject arbitrary SQL commands. This can lead to extraction of sensitive data via XPATH error messages and potentially further compromise of the database. The weakness maps to CWE-89, a classic injection flaw.

Affected Systems

The vulnerability exists in devcode-it OpenSTAManager versions 2.9.8 and earlier. Users running these versions on any platform that exposes the Scadenzario bulk operations interface are affected.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity, while the EPSS score of less than 1% suggests a low current exploitation probability. The advisory is not listed in the CISA KEV catalog, implying no confirmed widespread exploitation at the time of assessment. Exploitation likely requires access to the bulk operations API or web interface; it is inferred that authenticated or privileged users could use the vulnerable parameter to inject malicious SQL. The lack of immediate public exploitation mitigates urgency, but the high impact and available attack vector warrant prompt action.

Generated by OpenCVE AI on April 17, 2026 at 22:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update to OpenSTAManager v2.9.9 or later, where the id_records input is validated to contain only integers.
  • If an upgrade cannot be performed immediately, enforce server‑side validation on the id_records array, rejecting any non‑numeric values before the SQL query is constructed.
  • Restrict access to the bulk operations endpoint to trusted administrators and monitor for anomalous query patterns or error messages that may indicate injection attempts.

Generated by OpenCVE AI on April 17, 2026 at 22:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-4xwv-49c8-fvhq OpenSTAManager has a SQL Injection vulnerability in the Scadenzario bulk operations module
History

Mon, 09 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:devcode:openstamanager:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

Mon, 09 Feb 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Devcode
Devcode openstamanager
Vendors & Products Devcode
Devcode openstamanager

Fri, 06 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 06 Feb 2026 18:30:00 +0000

Type Values Removed Values Added
Description OpenSTAManager is an open source management software for technical assistance and invoicing. OpenSTAManager v2.9.8 and earlier contain a critical Error-Based SQL Injection vulnerability in the bulk operations handler for the Scadenzario (Payment Schedule) module. The application fails to validate that elements of the id_records array are integers before using them in an SQL IN() clause, allowing attackers to inject arbitrary SQL commands and extract sensitive data through XPATH error messages.
Title OpenSTAManager has an SQL Injection vulnerability in the Scadenzario bulk operations module
Weaknesses CWE-89
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Devcode Openstamanager
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-06T18:48:34.264Z

Reserved: 2026-01-22T18:19:49.175Z

Link: CVE-2026-24418

cve-icon Vulnrichment

Updated: 2026-02-06T18:48:24.877Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-06T19:16:09.120

Modified: 2026-02-09T21:42:38.140

Link: CVE-2026-24418

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T22:45:29Z

Weaknesses