cbcvebase.
CVE-2026-35168
published 2026-04-02

CVE-2026-35168: OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.10.2, the Aggiornamenti (Updates) module in…

PriorityP263high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.67%
47.2th percentile
OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.10.2, the Aggiornamenti (Updates) module in OpenSTAManager contains a database conflict resolution feature (op=risolvi-conflitti-database) that accepts a JSON array of SQL statements via POST and executes them directly against the database without any validation, allowlist, or sanitization. An authenticated attacker with access to the Aggiornamenti module can execute arbitrary SQL statements including CREATE, DROP, ALTER, INSERT, UPDATE, DELETE, SELECT INTO OUTFILE, and any other SQL command supported by the MySQL server. Foreign key checks are explicitly disabled before execution (SET FOREIGN_KEY_CHECKS=0), further reducing database integrity protections. This issue has been patched in version 2.10.2.

Affected

3 ranges
VendorProductVersion rangeFixed in
devcode-itopenstamanager< 2.10.22.10.2
devcode-itopenstamanager>= 0 < 2.10.22.10.2
devcodeopenstamanager< 2.10.22.10.2

Detection & IOCsextracted from sources · hover to see the quote

urlop=risolvi-conflitti-database
commandSET FOREIGN_KEY_CHECKS=0
commandSELECT INTO OUTFILE
  • Monitor HTTP POST requests targeting the Aggiornamenti module endpoint containing the parameter 'op=risolvi-conflitti-database', which is the vulnerable operation accepting arbitrary SQL via JSON array.
  • Detect SQL injection payloads delivered as a JSON array in POST body to OpenSTAManager, particularly those containing DDL/DML commands (CREATE, DROP, ALTER, INSERT, UPDATE, DELETE) or file-write commands (SELECT INTO OUTFILE).
  • Alert on database-level execution of 'SET FOREIGN_KEY_CHECKS=0' originating from the web application layer, as this is explicitly prepended before attacker-supplied SQL in the vulnerable code path.
  • ·Exploitation requires authentication — the attacker must have a valid session with access to the Aggiornamenti (Updates) module. Restricting access to this module to trusted administrators reduces attack surface.
  • ·The vulnerability is fixed in OpenSTAManager version 2.10.2. All instances running versions prior to 2.10.2 (package devcode-it/openstamanager) are affected and should be patched immediately.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.