{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-29782", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-04T16:26:02.898Z", "datePublished": "2026-04-02T13:42:25.134Z", "dateUpdated": "2026-04-03T19:52:52.158Z"}, "containers": {"cna": {"title": "OpenSTAManager: Remote Code Execution via Insecure Deserialization in OAuth2", "problemTypes": [{"descriptions": [{"cweId": "CWE-502", "lang": "en", "description": "CWE-502: Deserialization of Untrusted Data", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-whv5-4q2f-q68g", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-whv5-4q2f-q68g"}, {"name": "https://github.com/devcode-it/openstamanager/commit/d2e38cbdf91a831cefc0da1548e02b297ae644cc", "tags": ["x_refsource_MISC"], "url": "https://github.com/devcode-it/openstamanager/commit/d2e38cbdf91a831cefc0da1548e02b297ae644cc"}, {"name": "https://github.com/devcode-it/openstamanager/releases/tag/v2.10.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/devcode-it/openstamanager/releases/tag/v2.10.2"}], "affected": [{"vendor": "devcode-it", "product": "openstamanager", "versions": [{"version": "< 2.10.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T13:42:25.134Z"}, "descriptions": [{"lang": "en", "value": "OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.10.2, the oauth2.php file in OpenSTAManager is an unauthenticated endpoint ($skip_permissions = true). It loads a record from the zz_oauth2 table using the attacker-controlled GET parameter state, and during the OAuth2 configuration flow calls unserialize() on the access_token field without any class restriction. This issue has been patched in version 2.10.2."}], "source": {"advisory": "GHSA-whv5-4q2f-q68g", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-03T19:52:40.565184Z", "id": "CVE-2026-29782", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T19:52:52.158Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-29782", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-03T19:52:40.565184Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-03T19:52:47.217Z"}}], "cna": {"title": "OpenSTAManager: Remote Code Execution via Insecure Deserialization in OAuth2", "source": {"advisory": "GHSA-whv5-4q2f-q68g", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "devcode-it", "product": "openstamanager", "versions": [{"status": "affected", "version": "< 2.10.2"}]}], "references": [{"url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-whv5-4q2f-q68g", "name": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-whv5-4q2f-q68g", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/devcode-it/openstamanager/commit/d2e38cbdf91a831cefc0da1548e02b297ae644cc", "name": "https://github.com/devcode-it/openstamanager/commit/d2e38cbdf91a831cefc0da1548e02b297ae644cc", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/devcode-it/openstamanager/releases/tag/v2.10.2", "name": "https://github.com/devcode-it/openstamanager/releases/tag/v2.10.2", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.10.2, the oauth2.php file in OpenSTAManager is an unauthenticated endpoint ($skip_permissions = true). It loads a record from the zz_oauth2 table using the attacker-controlled GET parameter state, and during the OAuth2 configuration flow calls unserialize() on the access_token field without any class restriction. This issue has been patched in version 2.10.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-502", "description": "CWE-502: Deserialization of Untrusted Data"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T13:42:25.134Z"}}}, "cveMetadata": {"cveId": "CVE-2026-29782", "state": "PUBLISHED", "dateUpdated": "2026-04-03T19:52:52.158Z", "dateReserved": "2026-03-04T16:26:02.898Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-02T13:42:25.134Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:devcode:openstamanager:*:*:*:*:*:*:*:*", "matchCriteriaId": "37690084-64E6-4E8B-8A92-8B55C8FC1E9F", "versionEndExcluding": "2.10.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.10.2, the oauth2.php file in OpenSTAManager is an unauthenticated endpoint ($skip_permissions = true). It loads a record from the zz_oauth2 table using the attacker-controlled GET parameter state, and during the OAuth2 configuration flow calls unserialize() on the access_token field without any class restriction. This issue has been patched in version 2.10.2."}], "id": "CVE-2026-29782", "lastModified": "2026-04-07T21:19:46.627", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-04-02T14:16:27.237", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/devcode-it/openstamanager/commit/d2e38cbdf91a831cefc0da1548e02b297ae644cc"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/devcode-it/openstamanager/releases/tag/v2.10.2"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-whv5-4q2f-q68g"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-502"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.10.2)"}}], "enrichment": {"confidence": 94.0, "confidence_source": "matching", "scores": [{"score": 94.0, "source": "matching"}]}, "original": {"product": "openstamanager", "source": "cna", "vendor": "devcode-it"}, "product": "openstamanager", "vendor": "devcode"}], "analysis": {"en": {"generated_at": "2026-04-07T23:55:40.285966+00:00", "value": {"mitigation_remediation": ["Upgrade to OpenSTAManager version 2.10.2 or later."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Any deployment of devcode\u2011it OpenSTAManager running a version earlier than 2.10.2 is impacted because the vulnerable code resides in that release. Organizations using earlier releases should verify the build number and vendor the software for updates.", "description_and_impact": "Unsecured deserialization in the oauth2.php endpoint of OpenSTAManager permits an attacker to supply a crafted state parameter that is unserialized without verification, enabling arbitrary code execution on the server. The vulnerability can compromise confidentiality, integrity, and availability if successfully exploited. The flaw has a CVSS score of 7.2, classifying it as high severity. It reflects a common insecure deserialization weakness as indicated by CWE-502.", "risk_and_exploitability": "Exploitation requires only an unauthenticated HTTP GET request to the oauth2.php script. The EPSS score is reported as less than 1% and the vulnerability is not yet listed in CISA\u2019s KEV catalog, yet the potential for full remote compromise makes it a high priority. Affected systems exposed to external networks or with internal threat actors can be compromised without additional credentials. The attack path is straightforward and does not depend on complicated configuration or post\u2011exploitation steps."}}}}, "created": "2026-04-02T20:12:31.372809+00:00", "updated": "2026-04-08T19:56:31.678818+00:00", "vendors": ["devcode", "devcode$PRODUCT$openstamanager"]}