Scan free
HIGHCVE-2026-35168CVSS 8.8

CVE-2026-35168: OpenSTAManager SQL Injection in Aggiornamenti Module

Platform

php

Component

devcode-it/openstamanager

Fixed in

2.10.3

2.10.2

AI Confidence: highNVDEPSS 0.1%Reviewed: Apr 2026
View on NVD
Save

CVE-2026-35168 describes a SQL Injection vulnerability within the Aggiornamenti (Updates) module of OpenSTAManager. This flaw allows an authenticated attacker to execute arbitrary SQL commands due to insufficient validation of SQL statements. Successful exploitation can lead to complete database compromise. This affects OpenSTAManager versions prior to 2.10.2, and is resolved in version 2.10.2.

Impact and Attack Scenarios

CVE-2026-35168 in OpenSTAManager (versions <= 2.10.1) allows an authenticated attacker to execute arbitrary SQL code on the database. The 'Aggiornamenti' (Updates) module includes a database conflict resolution feature (op=risolvi-conflitti-database) that accepts a JSON array of SQL statements via a POST request. This feature executes these statements directly against the database without any validation, allowlist, or sanitization. This means an attacker can potentially modify, delete, or extract sensitive data from the database, compromising the system's integrity and confidentiality. The CVSS severity is 8.8 (High), indicating a significant risk.

Exploitation Context

An attacker with valid credentials to access the 'Aggiornamenti' module can exploit this vulnerability. The attacker would send a POST request with a JSON array containing malicious SQL statements. The lack of validation allows the attacker to inject arbitrary SQL code that will be executed in the database's context. The exploitation complexity is low, as it requires no special skills beyond SQL knowledge and the ability to send HTTP requests. The need for authentication limits exploitation to users with system access, but the severity of the vulnerability warrants immediate attention.

Threat Intelligence

Exploit Status

Proof of ConceptUnknown
CISA KEVNO
Internet ExposureHigh
Reports1 threat report

EPSS

0.08% (24% percentile)

CISA SSVC

Exploitationpoc
Automatableno
Technical Impacttotal

CVSS Vector

THREAT INTELLIGENCE· CVSS 3.1CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H8.8HIGHAttack VectorNetworkHow the attacker reaches the targetAttack ComplexityLowConditions required to exploitPrivileges RequiredLowAuthentication level needed to attackUser InteractionNoneWhether a victim must take actionScopeUnchangedImpact beyond the vulnerable componentConfidentialityHighRisk of sensitive data exposureIntegrityHighRisk of unauthorized data modificationAvailabilityHighRisk of service disruptionnextguardhq.com · CVSS v3.1 Base Score
What do these metrics mean?
Attack Vector
Network — remotely exploitable over the internet. No physical or local access required. Widest attack surface.
Attack Complexity
Low — no special conditions required. Attacker can exploit reliably without depending on rare configurations or timing.
Privileges Required
Low — any valid user account is sufficient. Basic authenticated access required.
User Interaction
None — attack is automatic and silent. Victim does nothing: no click, no file open.
Scope
Unchanged — impact is limited to the vulnerable component itself.
Confidentiality
High — complete confidentiality loss. Attacker can read all data: credentials, keys, personal data.
Integrity
High — attacker can write, modify, or delete any data: databases, config files, or code.
Availability
High — complete crash or resource exhaustion. Full denial of service.

Affected Software

Componentdevcode-it/openstamanager
Vendorosv
Affected rangeFixed in
< 2.10.2 – < 2.10.22.10.3
2.10.2

Package Information

Last updated
2.10.4recently

Weakness Classification (CWE)

CWE-89

Timeline

  1. Reserved
  2. Published
  3. EPSS updated
Patched -17 days after disclosure

Mitigation and Workarounds

The solution is to upgrade OpenSTAManager to version 2.10.2 or higher. This version fixes the vulnerability by implementing proper validation of the SQL statements received through the op=risolvi-conflitti-database parameter. In the meantime, as a temporary measure, restrict access to the 'Aggiornamenti' module to authorized users only and monitor the system for exploitation attempts. Additionally, review and strengthen authentication and authorization policies to limit the potential impact of a successful attack. The upgrade is the best defense against this vulnerability.

How to fix

Actualice OpenSTAManager a la versión 2.10.2 o superior. Esta versión contiene una corrección para la vulnerabilidad de inyección SQL en el módulo Aggiornamenti. La actualización evitará que atacantes ejecuten comandos SQL arbitrarios en su base de datos.

CVE Security Newsletter

Vulnerability analysis and critical alerts directly to your inbox.

Frequently asked questions

What is CVE-2026-35168 — SQL Injection in devcode-it/openstamanager?

OpenSTAManager is an open-source software license management tool.

Am I affected by CVE-2026-35168 in devcode-it/openstamanager?

The update fixes a critical vulnerability that allows the execution of arbitrary SQL code, which could compromise the security of your system.

How do I fix CVE-2026-35168 in devcode-it/openstamanager?

Restrict access to the 'Aggiornamenti' module and monitor the system for activity.

Is CVE-2026-35168 being actively exploited?

Review and strengthen your authentication and authorization policies.

Where can I find the official devcode-it/openstamanager advisory for CVE-2026-35168?

If you are using a version prior to 2.10.2, you are vulnerable. Consult the OpenSTAManager documentation for more details.

Is your project affected?

Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.

Scan freeSearch CVEs