Description
OpenSTAManager version 2.10 and earlier contains an arbitrary file upload vulnerability in the module update functionality (modules/aggiornamenti/upload_modules.php)
Published: 2026-05-04
Score: 7.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

OpenSTAManager versions 2.10 and earlier allow an attacker to upload arbitrary files through the module update upload endpoint. The flaw permits the replacement or addition of files on the server, potentially enabling execution of malicious code or tampering of application logic. The vulnerability falls under uncontrolled file upload weaknesses.

Affected Systems

The affected product is OpenSTAManager, version 2.10 and earlier. No specific vendor information is provided. The vulnerability resides in the modules/aggiornamenti/upload_modules.php script used for module updates.

Risk and Exploitability

The CVSS score is 7.2, indicating high severity, and the EPSS estimate is < 1%, and the vulnerability is not listed in the CISA KEV catalog. Nonetheless, arbitrary file upload is a high‑severity flaw and is often exploited when proper validation is missing. The likely attack vector requires the attacker to submit a crafted upload request to the vulnerable endpoint, which may be reachable over the network or via internal access depending on the deployment. If active, the flaw can lead to code execution, data compromise, or service disruption.

Generated by OpenCVE AI on May 5, 2026 at 15:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply an available vendor update or upgrade to a newer version of OpenSTAManager that addresses the file upload vulnerability.
  • If an upgrade is not immediately possible, disable or restrict the module upload functionality so that no files can be uploaded through the public interface.
  • Implement server‑side validation to allow only approved file types and extensions, and ensure uploaded files are stored outside the web‑root or executed with restricted permissions.

Generated by OpenCVE AI on May 5, 2026 at 15:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-rm34-fg4m-39mw OpenSTAManager contains an arbitrary file upload vulnerability in its module update functionality
History

Fri, 29 May 2026 14:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:devcode:openstamanager:*:*:*:*:*:*:*:*

Tue, 05 May 2026 22:00:00 +0000

Type Values Removed Values Added
First Time appeared Devcode
Devcode openstamanager
Vendors & Products Devcode
Devcode openstamanager

Tue, 05 May 2026 16:00:00 +0000

Type Values Removed Values Added
Title Arbitrary File Upload in OpenSTAManager Module Update

Tue, 05 May 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 04 May 2026 21:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-434

Mon, 04 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description OpenSTAManager version 2.10 and earlier contains an arbitrary file upload vulnerability in the module update functionality (modules/aggiornamenti/upload_modules.php)
References

Subscriptions

Devcode Openstamanager
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-05T13:16:50.017Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-38751

cve-icon Vulnrichment

Updated: 2026-05-05T13:15:53.188Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-04T19:16:03.613

Modified: 2026-05-29T14:41:34.623

Link: CVE-2026-38751

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-05T21:45:15Z

Weaknesses