Description
OpenSTAManager version 2.10 and earlier contains an arbitrary file upload vulnerability in the module update functionality (modules/aggiornamenti/upload_modules.php)
Published: 2026-05-04
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

OpenSTAManager versions 2.10 and earlier allow an attacker to upload arbitrary files through the module update upload endpoint. The flaw permits the replacement or addition of files on the server, potentially enabling execution of malicious code or tampering of application logic. The vulnerability falls under uncontrolled file upload weaknesses.

Affected Systems

The affected product is OpenSTAManager, version 2.10 and earlier. No specific vendor information is provided. The vulnerability resides in the modules/aggiornamenti/upload_modules.php script used for module updates.

Risk and Exploitability

There is no publicly published CVSS score or EPSS estimate, and the vulnerability is not listed in the CISA KEV catalog. Nonetheless, arbitrary file upload is a high‑severity flaw and is often exploited when proper validation is missing. The likely attack vector requires the attacker to submit a crafted upload request to the vulnerable endpoint, which may be reachable over the network or via internal access depending on the deployment. If active, the flaw can lead to code execution, data compromise, or service disruption.

Generated by OpenCVE AI on May 4, 2026 at 20:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply an available vendor update or upgrade to a newer version of OpenSTAManager that addresses the file upload vulnerability.
  • If an upgrade is not immediately possible, disable or restrict the module upload functionality so that no files can be uploaded through the public interface.
  • Implement server‑side validation to allow only approved file types and extensions, and ensure uploaded files are stored outside the web‑root or executed with restricted permissions.

Generated by OpenCVE AI on May 4, 2026 at 20:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 04 May 2026 21:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-434

Mon, 04 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description OpenSTAManager version 2.10 and earlier contains an arbitrary file upload vulnerability in the module update functionality (modules/aggiornamenti/upload_modules.php)
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-04T18:40:54.253Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-38751

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-04T19:16:03.613

Modified: 2026-05-04T19:16:03.613

Link: CVE-2026-38751

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-04T21:00:09Z

Weaknesses