Platform
php
Component
devcode-it/openstamanager
Fixed in
2.10.3
2.10.2
CVE-2026-28805 describes a critical SQL Injection vulnerability discovered in OpenSTAManager, a PHP-based asset management system. This flaw allows authenticated attackers to inject malicious SQL code, potentially leading to unauthorized data access and manipulation. Versions of OpenSTAManager prior to 2.10.2 are affected, and a patch has been released to address the issue.
The vulnerability lies within multiple AJAX select handlers where the options[stato] GET parameter is directly incorporated into SQL WHERE clauses without proper sanitization. An attacker who can authenticate to the OpenSTAManager system can craft malicious requests to inject arbitrary SQL statements. This allows them to bypass database security measures and extract sensitive information. The potential data at risk includes usernames, password hashes (potentially enabling account takeover), financial records, and any other data stored within the MySQL database. Successful exploitation could lead to significant data breaches and compromise the integrity of the entire asset management system.
CVE-2026-28805 was publicly disclosed on April 1, 2026. The vulnerability's ease of exploitation, combined with the potential for significant data compromise, suggests a medium probability of exploitation (EPSS score pending). No public proof-of-concept exploits have been publicly released as of the disclosure date, but the vulnerability's nature makes it likely that such exploits will emerge. Monitor security advisories and threat intelligence feeds for updates.
Exploit Status
EPSS
0.03% (10% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to immediately upgrade OpenSTAManager to version 2.10.2 or later, which includes the necessary fixes. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to filter requests containing suspicious SQL injection patterns in the options[stato] parameter. Additionally, review and restrict database user permissions to limit the potential impact of a successful attack. Monitor application logs for unusual SQL queries or error messages that might indicate exploitation attempts. After upgrading, confirm the fix by attempting a SQL injection payload via the affected parameter and verifying that it is properly sanitized.
Update OpenSTAManager to version 2.10.2 or higher. This version contains a fix for the time-based SQL injection vulnerability.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-28805 is a SQL Injection vulnerability affecting OpenSTAManager versions up to 2.9.8, allowing attackers to potentially extract sensitive data from the database through the options[stato] parameter.
You are affected if you are running OpenSTAManager versions 2.9.8 or earlier. Upgrade to 2.10.2 or later to mitigate the risk.
The recommended fix is to upgrade OpenSTAManager to version 2.10.2 or later. As a temporary workaround, implement a WAF rule to filter malicious SQL injection attempts.
While no public exploits are currently known, the vulnerability's nature suggests a potential for exploitation. Continuous monitoring and prompt patching are crucial.
Refer to the official OpenSTAManager website and security advisories for the latest information and updates regarding CVE-2026-28805.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.