CVE-2026-35470

HIGH SEVERITY

CVSS Score & Metrics

Base Score

8.8 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H                                    

Vulnerability Description

OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to 2.10.2, confronta_righe.php files across different modules in OpenSTAManager contain an SQL Injection vulnerability. The righe parameter received via $_GET['righe'] is directly concatenated into an SQL query without any sanitization, parameterization or validation. An authenticated attacker can inject arbitrary SQL statements to extract sensitive data from the database, including user credentials, customer information, invoice data and any other stored data. This vulnerability is fixed in 2.10.2.

Vulnerability Details

Published Date

April 03, 2026

Last Modified

April 07, 2026

CWE ID

CWE-89

Source

GitHub

Vendor

composer

Product

devcode-it/openstamanager

External References

https://github.com/devcode-it/openstamanager/security/advisories/GHSA-mmm5-3g4x-qw39
https://github.com/devcode-it/openstamanager/releases/tag/v2.10.2
https://github.com/advisories/GHSA-mmm5-3g4x-qw39

CVE-2026-35470

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment