{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-24419", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-01-22T18:19:49.175Z", "datePublished": "2026-02-06T18:05:42.332Z", "dateUpdated": "2026-02-06T18:30:09.396Z"}, "containers": {"cna": {"title": "OpenSTAManager has an SQL Injection in the Prima Nota module", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 8.7, "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-4j2x-jh4m-fqv6", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-4j2x-jh4m-fqv6"}], "affected": [{"vendor": "devcode-it", "product": "openstamanager", "versions": [{"version": "<= 2.9.8", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-06T18:05:42.332Z"}, "descriptions": [{"lang": "en", "value": "OpenSTAManager is an open source management software for technical assistance and invoicing. OpenSTAManager v2.9.8 and earlier contain a critical Error-Based SQL Injection vulnerability in the Prima Nota (Journal Entry) module's add.php file. The application fails to validate that comma-separated values from the id_documenti GET parameter are integers before using them in SQL IN() clauses, allowing attackers to inject arbitrary SQL commands and extract sensitive data through XPATH error messages."}], "source": {"advisory": "GHSA-4j2x-jh4m-fqv6", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-4j2x-jh4m-fqv6", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-06T18:30:04.684318Z", "id": "CVE-2026-24419", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-06T18:30:09.396Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-24419", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-02-06T18:30:04.684318Z"}}}], "references": [{"url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-4j2x-jh4m-fqv6", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-06T18:29:33.869Z"}}], "cna": {"title": "OpenSTAManager has an SQL Injection in the Prima Nota module", "source": {"advisory": "GHSA-4j2x-jh4m-fqv6", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 8.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}], "affected": [{"vendor": "devcode-it", "product": "openstamanager", "versions": [{"status": "affected", "version": "<= 2.9.8"}]}], "references": [{"url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-4j2x-jh4m-fqv6", "name": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-4j2x-jh4m-fqv6", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "OpenSTAManager is an open source management software for technical assistance and invoicing. OpenSTAManager v2.9.8 and earlier contain a critical Error-Based SQL Injection vulnerability in the Prima Nota (Journal Entry) module's add.php file. The application fails to validate that comma-separated values from the id_documenti GET parameter are integers before using them in SQL IN() clauses, allowing attackers to inject arbitrary SQL commands and extract sensitive data through XPATH error messages."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-06T18:05:42.332Z"}}}, "cveMetadata": {"cveId": "CVE-2026-24419", "state": "PUBLISHED", "dateUpdated": "2026-02-06T18:30:09.396Z", "dateReserved": "2026-01-22T18:19:49.175Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-06T18:05:42.332Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:devcode:openstamanager:*:*:*:*:*:*:*:*", "matchCriteriaId": "42CFDCCE-817A-4017-8C56-ECC90B1CF7A1", "versionEndIncluding": "2.9.8", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenSTAManager is an open source management software for technical assistance and invoicing. OpenSTAManager v2.9.8 and earlier contain a critical Error-Based SQL Injection vulnerability in the Prima Nota (Journal Entry) module's add.php file. The application fails to validate that comma-separated values from the id_documenti GET parameter are integers before using them in SQL IN() clauses, allowing attackers to inject arbitrary SQL commands and extract sensitive data through XPATH error messages."}], "id": "CVE-2026-24419", "lastModified": "2026-02-09T21:55:03.027", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.7, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-06T18:15:58.333", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-4j2x-jh4m-fqv6"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-4j2x-jh4m-fqv6"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"analysis": {"en": {"generated_at": "2026-04-17T22:36:10.587763+00:00", "value": {"mitigation_remediation": ["Upgrade OpenSTAManager to a version released after 2.9.8 that contains the patch for the SQL injection vulnerability.", "Add server\u2011side validation to the id_documenti GET parameter to ensure all supplied values are numeric before they are used in SQL statements.", "Deploy a web application firewall or input sanitization rules to block malformed SQL injection attempts targeting the add.php route."], "summary": {"action": "Immediate Patch", "impact": "Arbitrary SQL injection exposing sensitive data"}, "threat_synthesis": {"affected_systems": "The flaw affects the devcode\u2011it OpenSTAManager product, specifically versions 2.9.8 and earlier. Any deployment of OpenSTAManager that includes the vulnerable add.php module and processes the id_documenti parameter through a publicly accessible web interface is at risk.", "description_and_impact": "The vulnerability resides in the Prima Nota (Journal Entry) module of OpenSTAManager, where the add.php script does not validate that the comma\u2011separated values in the id_documenti GET parameter are integers before incorporating them into SQL IN() clauses. This flaw permits attackers to inject arbitrary SQL code, resulting in error-based data extraction via XPATH error messages. The weakness is classified as CWE\u201189 and can lead to unauthorized data disclosure and potential manipulation of the database.", "risk_and_exploitability": "With a CVSS score of 8.7 and an EPSS score of less than 1%, the vulnerability presents a high severity but a low likelihood of exploitation under current conditions. It is not listed in the CISA KEV catalog. The attack vector is primarily remote, via crafted HTTP GET requests to the add.php endpoint. If exploited, an attacker can read confidential data and potentially influence database contents, depending on the underlying database permissions."}}}}, "created": "2026-02-09T10:49:58.911998+00:00", "updated": "2026-04-17T22:45:29.932408+00:00", "vendors": ["devcode", "devcode$PRODUCT$openstamanager"]}