CVE-2026-35470
Last modified
CVE-2026-35470 is a high-severity vulnerability rated 8.8/10 on the CVSS scale. OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to 2.10.2, confronta_righe.php files across different modules in OpenSTAManager contain an SQL Injection vulnerability. EPSS estimates a 0.42% chance of exploitation in the next 30 days.
Description
OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to 2.10.2, confronta_righe.php files across different modules in OpenSTAManager contain an SQL Injection vulnerability. The righe parameter received via $_GET['righe'] is directly concatenated into an SQL query without any sanitization, parameterization or validation. An authenticated attacker can inject arbitrary SQL statements to extract sensitive data from the database, including user credentials, customer information, invoice data and any other stored data. This vulnerability is fixed in 2.10.2.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Devcode | Openstamanager | < 2.10.2 |
References
- https://github.com/devcode-it/openstamanager/releases/tag/v2.10.2Product, Release Notes
- https://github.com/devcode-it/openstamanager/security/advisories/GHSA-mmm5-3g4x-qw39Exploit, Mitigation, Vendor Advisory
- https://github.com/devcode-it/openstamanager/security/advisories/GHSA-mmm5-3g4x-qw39Exploit, Mitigation, Vendor Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2026-35470?
How severe is CVE-2026-35470?
How do I fix CVE-2026-35470?
Are you affected by CVE-2026-35470?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST