{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24418", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-22T18:19:49.175Z", "datePublished": "2026-02-06T18:06:47.383Z", "dateUpdated": "2026-02-06T18:48:34.264Z"}, "containers": {"cna": {"title": "OpenSTAManager has an SQL Injection vulnerability in the Scadenzario bulk operations module", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-4xwv-49c8-fvhq", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-4xwv-49c8-fvhq"}], "affected": [{"vendor": "devcode-it", "product": "openstamanager", "versions": [{"version": "<= 2.9.8", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-06T18:06:47.383Z"}, "descriptions": [{"lang": "en", "value": "OpenSTAManager is an open source management software for technical assistance and invoicing. OpenSTAManager v2.9.8 and earlier contain a critical Error-Based SQL Injection vulnerability in the bulk operations handler for the Scadenzario (Payment Schedule) module. The application fails to validate that elements of the id_records array are integers before using them in an SQL IN() clause, allowing attackers to inject arbitrary SQL commands and extract sensitive data through XPATH error messages."}], "source": {"advisory": "GHSA-4xwv-49c8-fvhq", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-06T18:47:55.649505Z", "id": "CVE-2026-24418", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-06T18:48:34.264Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24418", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-06T18:47:55.649505Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-06T18:48:24.877Z"}}], "cna": {"title": "OpenSTAManager has an SQL Injection vulnerability in the Scadenzario bulk operations module", "source": {"advisory": "GHSA-4xwv-49c8-fvhq", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "devcode-it", "product": "openstamanager", "versions": [{"status": "affected", "version": "<= 2.9.8"}]}], "references": [{"url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-4xwv-49c8-fvhq", "name": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-4xwv-49c8-fvhq", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "OpenSTAManager is an open source management software for technical assistance and invoicing. OpenSTAManager v2.9.8 and earlier contain a critical Error-Based SQL Injection vulnerability in the bulk operations handler for the Scadenzario (Payment Schedule) module. The application fails to validate that elements of the id_records array are integers before using them in an SQL IN() clause, allowing attackers to inject arbitrary SQL commands and extract sensitive data through XPATH error messages."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-06T18:06:47.383Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24418", "state": "PUBLISHED", "dateUpdated": "2026-02-06T18:48:34.264Z", "dateReserved": "2026-01-22T18:19:49.175Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-06T18:06:47.383Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:devcode:openstamanager:*:*:*:*:*:*:*:*", "matchCriteriaId": "42CFDCCE-817A-4017-8C56-ECC90B1CF7A1", "versionEndIncluding": "2.9.8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenSTAManager is an open source management software for technical assistance and invoicing. OpenSTAManager v2.9.8 and earlier contain a critical Error-Based SQL Injection vulnerability in the bulk operations handler for the Scadenzario (Payment Schedule) module. The application fails to validate that elements of the id_records array are integers before using them in an SQL IN() clause, allowing attackers to inject arbitrary SQL commands and extract sensitive data through XPATH error messages."}], "id": "CVE-2026-24418", "lastModified": "2026-02-09T21:42:38.140", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-06T19:16:09.120", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-4xwv-49c8-fvhq"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-17T22:35:50.641840+00:00", "value": {"mitigation_remediation": ["Update to OpenSTAManager v2.9.9 or later, where the id_records input is validated to contain only integers.", "If an upgrade cannot be performed immediately, enforce server\u2011side validation on the id_records array, rejecting any non\u2011numeric values before the SQL query is constructed.", "Restrict access to the bulk operations endpoint to trusted administrators and monitor for anomalous query patterns or error messages that may indicate injection attempts."], "summary": {"action": "Immediate Patch", "impact": "SQL Injection leading to data exfiltration"}, "threat_synthesis": {"affected_systems": "The vulnerability exists in devcode-it OpenSTAManager versions 2.9.8 and earlier. Users running these versions on any platform that exposes the Scadenzario bulk operations interface are affected.", "description_and_impact": "OpenSTAManager v2.9.8 and earlier allow a critical error\u2011based SQL injection through the bulk operations handler in the Scadenzario module. The code does not enforce integer validation on elements of the id_records array before inserting them into an SQL IN() clause, permitting an attacker to inject arbitrary SQL commands. This can lead to extraction of sensitive data via XPATH error messages and potentially further compromise of the database. The weakness maps to CWE-89, a classic injection flaw.", "risk_and_exploitability": "The CVSS score of 8.7 indicates a high severity, while the EPSS score of less than 1% suggests a low current exploitation probability. The advisory is not listed in the CISA KEV catalog, implying no confirmed widespread exploitation at the time of assessment. Exploitation likely requires access to the bulk operations API or web interface; it is inferred that authenticated or privileged users could use the vulnerable parameter to inject malicious SQL. The lack of immediate public exploitation mitigates urgency, but the high impact and available attack vector warrant prompt action."}}}}, "created": "2026-02-09T10:50:03.460386+00:00", "updated": "2026-04-17T22:45:29.931902+00:00", "vendors": ["devcode", "devcode$PRODUCT$openstamanager"]}