{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35168", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-01T17:26:21.133Z", "datePublished": "2026-04-02T13:48:16.626Z", "dateUpdated": "2026-04-02T16:23:20.657Z"}, "containers": {"cna": {"title": "OpenSTAManager: SQL Injection via Aggiornamenti Module", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-2fr7-cc4f-wh98", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-2fr7-cc4f-wh98"}, {"name": "https://github.com/devcode-it/openstamanager/commit/43970676bcd6636ff8663652fd82579f737abb74", "tags": ["x_refsource_MISC"], "url": "https://github.com/devcode-it/openstamanager/commit/43970676bcd6636ff8663652fd82579f737abb74"}, {"name": "https://github.com/devcode-it/openstamanager/releases/tag/v2.10.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/devcode-it/openstamanager/releases/tag/v2.10.2"}], "affected": [{"vendor": "devcode-it", "product": "openstamanager", "versions": [{"version": "< 2.10.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T13:48:16.626Z"}, "descriptions": [{"lang": "en", "value": "OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.10.2, the Aggiornamenti (Updates) module in OpenSTAManager contains a database conflict resolution feature (op=risolvi-conflitti-database) that accepts a JSON array of SQL statements via POST and executes them directly against the database without any validation, allowlist, or sanitization. An authenticated attacker with access to the Aggiornamenti module can execute arbitrary SQL statements including CREATE, DROP, ALTER, INSERT, UPDATE, DELETE, SELECT INTO OUTFILE, and any other SQL command supported by the MySQL server. Foreign key checks are explicitly disabled before execution (SET FOREIGN_KEY_CHECKS=0), further reducing database integrity protections. This issue has been patched in version 2.10.2."}], "source": {"advisory": "GHSA-2fr7-cc4f-wh98", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-2fr7-cc4f-wh98", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-02T16:19:18.702127Z", "id": "CVE-2026-35168", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T16:23:20.657Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.10.2, the Aggiornamenti (Updates) module in OpenSTAManager contains a database conflict resolution feature (op=risolvi-conflitti-database) that accepts a JSON array of SQL statements via POST and executes them directly against the database without any validation, allowlist, or sanitization. An authenticated attacker with access to the Aggiornamenti module can execute arbitrary SQL statements including CREATE, DROP, ALTER, INSERT, UPDATE, DELETE, SELECT INTO OUTFILE, and any other SQL command supported by the MySQL server. Foreign key checks are explicitly disabled before execution (SET FOREIGN_KEY_CHECKS=0), further reducing database integrity protections. This issue has been patched in version 2.10.2."}], "id": "CVE-2026-35168", "lastModified": "2026-04-02T17:16:27.323", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-02T14:16:31.543", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/devcode-it/openstamanager/commit/43970676bcd6636ff8663652fd82579f737abb74"}, {"source": "security-advisories@github.com", "url": "https://github.com/devcode-it/openstamanager/releases/tag/v2.10.2"}, {"source": "security-advisories@github.com", "url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-2fr7-cc4f-wh98"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-2fr7-cc4f-wh98"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.10.2)"}}], "enrichment": {"confidence": 94.0, "confidence_source": "matching", "scores": [{"score": 94.0, "source": "matching"}]}, "original": {"product": "openstamanager", "source": "cna", "vendor": "devcode-it"}, "product": "openstamanager", "vendor": "devcode"}], "analysis": {"en": {"generated_at": "2026-04-02T15:24:06.204620+00:00", "value": {"mitigation_remediation": ["Apply the official patch by upgrading to version 2.10.2 or later", "Restrict user permissions to the Aggiornamenti module so that only trusted administrators can access the conflict\u2011resolution feature", "If upgrading is not immediately possible, disable or remove the op=risolvi-conflitti-database operation to stop acceptance of arbitrary SQL", "Audit the database for unauthorized changes and ensure regular backups are in place"], "summary": {"action": "Immediate Patch", "impact": "Data Loss / Tampering"}, "threat_synthesis": {"affected_systems": "All instances of OpenSTAManager from devcode-it prior to version 2.10.2 are affected. The vulnerability is confined to the Aggiornamenti (Updates) module, specifically the op=risolvi-conflitti-database operation. Upgrading to 2.10.2 or later removes the flaw.", "description_and_impact": "OpenSTAManager allows an authenticated user to submit a JSON array of SQL commands to the Aggiornamenti module, which then executes them without validation or sanitization. This flaw permits the attacker to run CREATE, DROP, ALTER, INSERT, UPDATE, DELETE, SELECT INTO OUTFILE, and other MySQL commands, effectively gaining full control over the database. As a result, an attacker could delete or modify records, exfiltrate sensitive data, or compromise the integrity and availability of the system.", "risk_and_exploitability": "With a CVSS score of 8.8 this vulnerability is rated high severity. The EPSS score is not provided, and the issue is not in the KEV catalog, but the lack of sanitization and the disabling of foreign key checks make exploitation straightforward for anyone with valid login credentials. Successful exploitation would allow precise data tampering or extraction, making the risk significant for organizations relying on OpenSTAManager for invoicing and technical assistance."}}}}, "created": "2026-04-02T20:12:28.597459+00:00", "updated": "2026-04-02T20:21:09.456299+00:00", "vendors": ["devcode", "devcode$PRODUCT$openstamanager"]}