CVE-2026-29782
published 2026-04-02CVE-2026-29782: OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.10.2, the oauth2.php file in OpenSTAManager is…
PriorityP348high7.2CVSS 3.1
AVNACLPRHUINSUCHIHAH
EPSS
0.57%
42.9th percentile
OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.10.2, the oauth2.php file in OpenSTAManager is an unauthenticated endpoint ($skip_permissions = true). It loads a record from the zz_oauth2 table using the attacker-controlled GET parameter state, and during the OAuth2 configuration flow calls unserialize() on the access_token field without any class restriction. This issue has been patched in version 2.10.2.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| devcode-it | openstamanager | < 2.10.2 | 2.10.2 |
| devcode-it | openstamanager | >= 0 < 2.10.2 | 2.10.2 |
| devcode | openstamanager | < 2.10.2 | 2.10.2 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
OpenSTAManager Affected by Remote Code Execution via Insecure Deserialization in OAuth2
osv·2026-04-01
CVE-2026-29782 [HIGH] OpenSTAManager Affected by Remote Code Execution via Insecure Deserialization in OAuth2
OpenSTAManager Affected by Remote Code Execution via Insecure Deserialization in OAuth2
## Description
The `oauth2.php` file in OpenSTAManager is an **unauthenticated** endpoint (`$skip_permissions = true`). It loads a record from the `zz_oauth2` table using the attacker-controlled GET parameter `state`, and during the OAuth2 configuration flow calls `unserialize()` on the `access_token` field **without any class restriction**.
An attacker who can write to the `zz_oauth2` table (e.g., via the arbitrary SQL injection in the Aggiornamenti module reported in [GHSA-2fr7-cc4f-wh98](https://github.com/devcode-it/openstamanager/security/advisories/GHSA-2fr7-cc4f-wh98)) can insert a malicious serialized PHP object (gadget chain) that upon deserialization executes arbitrary commands on the serve
GHSA
OpenSTAManager Affected by Remote Code Execution via Insecure Deserialization in OAuth2
ghsa·2026-04-01
CVE-2026-29782 [HIGH] CWE-502 OpenSTAManager Affected by Remote Code Execution via Insecure Deserialization in OAuth2
OpenSTAManager Affected by Remote Code Execution via Insecure Deserialization in OAuth2
## Description
The `oauth2.php` file in OpenSTAManager is an **unauthenticated** endpoint (`$skip_permissions = true`). It loads a record from the `zz_oauth2` table using the attacker-controlled GET parameter `state`, and during the OAuth2 configuration flow calls `unserialize()` on the `access_token` field **without any class restriction**.
An attacker who can write to the `zz_oauth2` table (e.g., via the arbitrary SQL injection in the Aggiornamenti module reported in [GHSA-2fr7-cc4f-wh98](https://github.com/devcode-it/openstamanager/security/advisories/GHSA-2fr7-cc4f-wh98)) can insert a malicious serialized PHP object (gadget chain) that upon deserialization executes arbitrary commands on the serve
No detection rules found.
No public exploits indexed.
2026-04-02
Published