What versions of OpenSTAManager are affected by these vulnerabilities?

Versions of OpenSTAManager less than or equal to 2.10.1 are affected by these vulnerabilities. The fix is available in version 2.10.2.

How can I verify if I am vulnerable?

Check the OpenSTAManager version in the application's administration panel. If it is less than or equal to 2.10.1, you are potentially vulnerable.

Is there a workaround if I cannot immediately patch?

Unfortunately, there are no effective workarounds for these vulnerabilities. Patching is the only recommended mitigation.

What is the impact of successful exploitation?

Successful exploitation could lead to data breaches, unauthorized modification of data, and remote code execution, potentially compromising the entire system.

Critical Vulnerabilities in OpenSTAManager: SQL Injection and RCE

Multiple critical vulnerabilities have been identified in OpenSTAManager versions 2.10.1 and earlier. These include a time-based blind SQL injection, insecure deserialization leading to remote code execution, and a more general SQL injection vulnerability. These flaws could allow an attacker to extract sensitive data, modify the database, or execute arbitrary commands on the server.

The CVSS score for these vulnerabilities ranges from 7.2 to 8.8, indicating high severity and significant potential for exploitation.

What is Devcode It/openstamanager?

OpenSTAManager is a PHP-based web application designed for managing and tracking projects, quotes, orders, and contracts. It provides a centralized platform for businesses to streamline their operations and collaborate effectively. Due to its widespread use and the severity of these vulnerabilities, prompt action is essential to protect your systems. search all devcode-it/openstamanager CVEs

Time-Based Blind SQL Injection in AJAX Select Handlers

CVSS8.8

Affected versionsOpenSTAManager versions <= 2.10.1 are affected. Specifically, the Preventivi, Ordini, and Contratti modules are vulnerable.

High severity, allowing data extraction.

An estimated 0.031% of systems are potentially exposed.

Multiple AJAX select handlers in OpenSTAManager are vulnerable to time-based blind SQL injection through the `options[stato]` GET parameter. The user-supplied value is directly concatenated into SQL WHERE clauses without sanitization, allowing attackers to extract sensitive data.

How to fix CVE-2026-28805 in Devcode It/openstamanager

Patch immediately

1.Update OpenSTAManager to version 2.10.2 or later.

Update via Composer

composer update devcode-it/openstamanager

Verify with:

verify

Check the OpenSTAManager version in the application's administration panel.

Workaround: None available. Patching is required.

NextGuard automatically flags CVE-2026-28805 if Devcode It/openstamanager appears in any of your monitored projects — no manual lookup required.

Remote Code Execution via Insecure Deserialization in OAuth2

CVSS7.2

Affected versionsOpenSTAManager versions <= 2.9.8 are affected. This vulnerability is unauthenticated.

High severity, allowing remote code execution.

An estimated 0.038% of systems are potentially exposed.

OpenSTAManager's `oauth2.php` endpoint is vulnerable to remote code execution due to insecure deserialization. An attacker can insert a malicious serialized PHP object into the `zz_oauth2` table and trigger its execution, leading to arbitrary code execution as the `www-data` user.

How to fix CVE-2026-29782 in Devcode It/openstamanager

Patch immediately

1.Update OpenSTAManager to version 2.10.2 or later.

Update via Composer

composer update devcode-it/openstamanager

Verify with:

verify

Check the OpenSTAManager version in the application's administration panel.

Workaround: None available. Patching is required.

NextGuard automatically flags CVE-2026-29782 if Devcode It/openstamanager appears in any of your monitored projects — no manual lookup required.

SQL Injection via Aggiornamenti Module

CVSS8.8

Affected versionsOpenSTAManager versions <= 2.9.8 are affected. Authenticated users with access to the Aggiornamenti module can exploit this.

High severity, allowing arbitrary SQL execution.

An estimated 0.061% of systems are potentially exposed.

The Aggiornamenti module allows execution of arbitrary SQL statements without validation, enabling attackers to modify or extract data. Foreign key checks are disabled during execution, further increasing the risk.

How to fix CVE-2026-35168 in Devcode It/openstamanager

Patch immediately

1.Update OpenSTAManager to version 2.10.2 or later.

Update via Composer

composer update devcode-it/openstamanager

Verify with:

verify

Check the OpenSTAManager version in the application's administration panel.

Workaround: None available. Patching is required.

NextGuard automatically flags CVE-2026-35168 if Devcode It/openstamanager appears in any of your monitored projects — no manual lookup required.

Stay ahead of php vulnerabilities

Proactively monitor your PHP applications for known vulnerabilities and emerging threats. monitor your php dependencies to ensure you're always protected.

Compare your dependencies

Frequently asked questions

The vulnerabilities in OpenSTAManager pose a significant risk to organizations using this software. Prompt patching is crucial to protect against potential exploitation. see all php vulnerabilities to stay informed about the latest threats.