Description
OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.10.2, the Aggiornamenti (Updates) module in OpenSTAManager contains a database conflict resolution feature (op=risolvi-conflitti-database) that accepts a JSON array of SQL statements via POST and executes them directly against the database without any validation, allowlist, or sanitization. An authenticated attacker with access to the Aggiornamenti module can execute arbitrary SQL statements including CREATE, DROP, ALTER, INSERT, UPDATE, DELETE, SELECT INTO OUTFILE, and any other SQL command supported by the MySQL server. Foreign key checks are explicitly disabled before execution (SET FOREIGN_KEY_CHECKS=0), further reducing database integrity protections. This issue has been patched in version 2.10.2.
Published: 2026-04-02
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: SQL Injection enabling arbitrary database manipulation
Action: Immediate Patch
AI Analysis

Impact

A flaw in the Aggiornamenti module of OpenSTAManager permits an authenticated user to submit a JSON array of raw SQL statements that are executed directly against the MySQL database without any validation or sanitization. This allows the attacker to perform CREATE, DROP, ALTER, INSERT, UPDATE, DELETE, or even SELECT INTO OUTFILE commands, effectively giving them full SQL injection capabilities and the ability to disable foreign key checks before execution, further undermining database integrity.

Affected Systems

The vulnerability affects the OpenSTAManager product by devcode-it, specifically all releases prior to version 2.10.2. Users running those earlier versions with the Aggiornamenti module enabled are exposed.

Risk and Exploitability

The issue has a CVSS score of 8.8 and an EPSS score of less than 1%, indicating high severity but a low probability of exploitation in the wild. It is not listed in CISA’s KEV catalog. Exploitation requires authentication and access to the Aggiornamenti module; once reached, the attacker can execute arbitrary SQL and exfiltrate data or alter the database structure.

Generated by OpenCVE AI on April 7, 2026 at 21:44 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to OpenSTAManager 2.10.2 or later to remove the vulnerability.
  • Limit use of the Aggiornamenti module to trusted administrators only if a patch can not be applied immediately.
  • After applying the patch, audit database logs for suspicious activity and restore affected data if necessary.

Generated by OpenCVE AI on April 7, 2026 at 21:44 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-2fr7-cc4f-wh98 OpenSTAManager: SQL Injection via Aggiornamenti Module
History

Tue, 07 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:devcode:openstamanager:*:*:*:*:*:*:*:*

Sat, 04 Apr 2026 07:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Devcode
Devcode openstamanager
Vendors & Products Devcode
Devcode openstamanager

Thu, 02 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Description OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.10.2, the Aggiornamenti (Updates) module in OpenSTAManager contains a database conflict resolution feature (op=risolvi-conflitti-database) that accepts a JSON array of SQL statements via POST and executes them directly against the database without any validation, allowlist, or sanitization. An authenticated attacker with access to the Aggiornamenti module can execute arbitrary SQL statements including CREATE, DROP, ALTER, INSERT, UPDATE, DELETE, SELECT INTO OUTFILE, and any other SQL command supported by the MySQL server. Foreign key checks are explicitly disabled before execution (SET FOREIGN_KEY_CHECKS=0), further reducing database integrity protections. This issue has been patched in version 2.10.2.
Title OpenSTAManager: SQL Injection via Aggiornamenti Module
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Devcode Openstamanager
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-02T16:23:20.657Z

Reserved: 2026-04-01T17:26:21.133Z

Link: CVE-2026-35168

cve-icon Vulnrichment

Updated: 2026-04-02T16:19:29.009Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-02T14:16:31.543

Modified: 2026-04-07T18:30:59.500

Link: CVE-2026-35168

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:56:29Z

Weaknesses