CVE-2026-35168
published 2026-04-02CVE-2026-35168: OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.10.2, the Aggiornamenti (Updates) module in…
PriorityP263high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
0.67%
47.2th percentile
OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.10.2, the Aggiornamenti (Updates) module in OpenSTAManager contains a database conflict resolution feature (op=risolvi-conflitti-database) that accepts a JSON array of SQL statements via POST and executes them directly against the database without any validation, allowlist, or sanitization. An authenticated attacker with access to the Aggiornamenti module can execute arbitrary SQL statements including CREATE, DROP, ALTER, INSERT, UPDATE, DELETE, SELECT INTO OUTFILE, and any other SQL command supported by the MySQL server. Foreign key checks are explicitly disabled before execution (SET FOREIGN_KEY_CHECKS=0), further reducing database integrity protections. This issue has been patched in version 2.10.2.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| devcode-it | openstamanager | < 2.10.2 | 2.10.2 |
| devcode-it | openstamanager | >= 0 < 2.10.2 | 2.10.2 |
| devcode | openstamanager | < 2.10.2 | 2.10.2 |
Detection & IOCsextracted from sources · hover to see the quote
- →Monitor HTTP POST requests targeting the Aggiornamenti module endpoint containing the parameter 'op=risolvi-conflitti-database', which is the vulnerable operation accepting arbitrary SQL via JSON array. ↗
- →Detect SQL injection payloads delivered as a JSON array in POST body to OpenSTAManager, particularly those containing DDL/DML commands (CREATE, DROP, ALTER, INSERT, UPDATE, DELETE) or file-write commands (SELECT INTO OUTFILE). ↗
- →Alert on database-level execution of 'SET FOREIGN_KEY_CHECKS=0' originating from the web application layer, as this is explicitly prepended before attacker-supplied SQL in the vulnerable code path. ↗
- ·Exploitation requires authentication — the attacker must have a valid session with access to the Aggiornamenti (Updates) module. Restricting access to this module to trusted administrators reduces attack surface. ↗
- ·The vulnerability is fixed in OpenSTAManager version 2.10.2. All instances running versions prior to 2.10.2 (package devcode-it/openstamanager) are affected and should be patched immediately. ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
OpenSTAManager: SQL Injection via Aggiornamenti Module
osv·2026-04-03
CVE-2026-35168 [HIGH] OpenSTAManager: SQL Injection via Aggiornamenti Module
OpenSTAManager: SQL Injection via Aggiornamenti Module
## Description
The Aggiornamenti (Updates) module in OpenSTAManager query('SET FOREIGN_KEY_CHECKS=0'); // Line 69: FK checks DISABLED
$errors = [];
$executed = 0;
foreach ($queries as $query) {
try {
$dbo->query($query); // Line 76: DIRECT EXECUTION
++$executed;
} catch (Exception $e) {
$errors[] = $query.' - '.$e->getMessage(); // Line 79: Error details leaked
}
}
$dbo->query('SET FOREIGN_KEY_CHECKS=1'); // Line 82: FK checks re-enabled
```
### Key Issues
1. **No query validation:** The SQL statements from user input are executed directly via `$dbo->query()` without any validation or filtering.
2. **No allowlist:** There is no restriction on which SQL commands are permitted (e.g., only `ALTER TABLE` or `CREATE INDEX`).
3. **Fore
GHSA
OpenSTAManager: SQL Injection via Aggiornamenti Module
ghsa·2026-04-03
CVE-2026-35168 [HIGH] CWE-89 OpenSTAManager: SQL Injection via Aggiornamenti Module
OpenSTAManager: SQL Injection via Aggiornamenti Module
## Description
The Aggiornamenti (Updates) module in OpenSTAManager query('SET FOREIGN_KEY_CHECKS=0'); // Line 69: FK checks DISABLED
$errors = [];
$executed = 0;
foreach ($queries as $query) {
try {
$dbo->query($query); // Line 76: DIRECT EXECUTION
++$executed;
} catch (Exception $e) {
$errors[] = $query.' - '.$e->getMessage(); // Line 79: Error details leaked
}
}
$dbo->query('SET FOREIGN_KEY_CHECKS=1'); // Line 82: FK checks re-enabled
```
### Key Issues
1. **No query validation:** The SQL statements from user input are executed directly via `$dbo->query()` without any validation or filtering.
2. **No allowlist:** There is no restriction on which SQL commands are permitted (e.g., only `ALTER TABLE` or `CREATE INDEX`).
3. **Fore
No detection rules found.
No public exploits indexed.
https://github.com/devcode-it/openstamanager/commit/43970676bcd6636ff8663652fd82579f737abb74https://github.com/devcode-it/openstamanager/releases/tag/v2.10.2https://github.com/devcode-it/openstamanager/security/advisories/GHSA-2fr7-cc4f-wh98https://github.com/devcode-it/openstamanager/security/advisories/GHSA-2fr7-cc4f-wh98
2026-04-02
Published