cbcvebase.
CVE-2026-27012
published 2026-03-03

CVE-2026-27012: OpenSTAManager is an open source management software for technical assistance and invoicing. In 2.9.8 and earlier, a privilege escalation and authentication…

PriorityP264critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EPSS
0.54%
41.1th percentile
OpenSTAManager is an open source management software for technical assistance and invoicing. In 2.9.8 and earlier, a privilege escalation and authentication bypass vulnerability in OpenSTAManager allows any attacker to arbitrarily change a user's group (idgruppo) by directly calling modules/utenti/actions.php. This can promote an existing account (e.g. agent) into the Amministratori group as well as demote any user including existing administrators.

Affected

3 ranges
VendorProductVersion rangeFixed in
devcode-itopenstamanager<= 2.9.8
devcode-itopenstamanager0 – 2.9.8
devcodeopenstamanager<= 2.9.8

Detection & IOCsextracted from sources · hover to see the quote

pathmodules/utenti/actions.php
  • Monitor unauthenticated or low-privileged HTTP requests directly targeting modules/utenti/actions.php, especially those containing the 'idgruppo' parameter, which indicates an attempt to change a user's group assignment.
  • Alert on any modification of a user's group to the 'Amministratori' group originating from non-administrative sessions, as exploitation promotes arbitrary accounts to the administrator group.
  • ·The vulnerability affects OpenSTAManager version 2.9.8 and earlier; no fix was available as of the publication date (March 3, 2026). Ensure the affected endpoint modules/utenti/actions.php is access-controlled or blocked at the web server/WAF level until a patch is released.
  • ·A public exploit exists for this CVE (CVSS 9.8 Critical), increasing the urgency of detection and mitigation for any internet-exposed OpenSTAManager instances.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.