{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35168", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-01T17:26:21.133Z", "datePublished": "2026-04-02T13:48:16.626Z", "dateUpdated": "2026-04-02T16:23:20.657Z"}, "containers": {"cna": {"title": "OpenSTAManager: SQL Injection via Aggiornamenti Module", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-2fr7-cc4f-wh98", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-2fr7-cc4f-wh98"}, {"name": "https://github.com/devcode-it/openstamanager/commit/43970676bcd6636ff8663652fd82579f737abb74", "tags": ["x_refsource_MISC"], "url": "https://github.com/devcode-it/openstamanager/commit/43970676bcd6636ff8663652fd82579f737abb74"}, {"name": "https://github.com/devcode-it/openstamanager/releases/tag/v2.10.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/devcode-it/openstamanager/releases/tag/v2.10.2"}], "affected": [{"vendor": "devcode-it", "product": "openstamanager", "versions": [{"version": "< 2.10.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T13:48:16.626Z"}, "descriptions": [{"lang": "en", "value": "OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.10.2, the Aggiornamenti (Updates) module in OpenSTAManager contains a database conflict resolution feature (op=risolvi-conflitti-database) that accepts a JSON array of SQL statements via POST and executes them directly against the database without any validation, allowlist, or sanitization. An authenticated attacker with access to the Aggiornamenti module can execute arbitrary SQL statements including CREATE, DROP, ALTER, INSERT, UPDATE, DELETE, SELECT INTO OUTFILE, and any other SQL command supported by the MySQL server. Foreign key checks are explicitly disabled before execution (SET FOREIGN_KEY_CHECKS=0), further reducing database integrity protections. This issue has been patched in version 2.10.2."}], "source": {"advisory": "GHSA-2fr7-cc4f-wh98", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-2fr7-cc4f-wh98", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-02T16:19:18.702127Z", "id": "CVE-2026-35168", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T16:23:20.657Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35168", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-02T16:19:18.702127Z"}}}], "references": [{"url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-2fr7-cc4f-wh98", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T16:19:29.009Z"}}], "cna": {"title": "OpenSTAManager: SQL Injection via Aggiornamenti Module", "source": {"advisory": "GHSA-2fr7-cc4f-wh98", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "devcode-it", "product": "openstamanager", "versions": [{"status": "affected", "version": "< 2.10.2"}]}], "references": [{"url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-2fr7-cc4f-wh98", "name": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-2fr7-cc4f-wh98", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/devcode-it/openstamanager/commit/43970676bcd6636ff8663652fd82579f737abb74", "name": "https://github.com/devcode-it/openstamanager/commit/43970676bcd6636ff8663652fd82579f737abb74", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/devcode-it/openstamanager/releases/tag/v2.10.2", "name": "https://github.com/devcode-it/openstamanager/releases/tag/v2.10.2", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.10.2, the Aggiornamenti (Updates) module in OpenSTAManager contains a database conflict resolution feature (op=risolvi-conflitti-database) that accepts a JSON array of SQL statements via POST and executes them directly against the database without any validation, allowlist, or sanitization. An authenticated attacker with access to the Aggiornamenti module can execute arbitrary SQL statements including CREATE, DROP, ALTER, INSERT, UPDATE, DELETE, SELECT INTO OUTFILE, and any other SQL command supported by the MySQL server. Foreign key checks are explicitly disabled before execution (SET FOREIGN_KEY_CHECKS=0), further reducing database integrity protections. This issue has been patched in version 2.10.2."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-89", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T13:48:16.626Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35168", "state": "PUBLISHED", "dateUpdated": "2026-04-02T16:23:20.657Z", "dateReserved": "2026-04-01T17:26:21.133Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-02T13:48:16.626Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:devcode:openstamanager:*:*:*:*:*:*:*:*", "matchCriteriaId": "37690084-64E6-4E8B-8A92-8B55C8FC1E9F", "versionEndExcluding": "2.10.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.10.2, the Aggiornamenti (Updates) module in OpenSTAManager contains a database conflict resolution feature (op=risolvi-conflitti-database) that accepts a JSON array of SQL statements via POST and executes them directly against the database without any validation, allowlist, or sanitization. An authenticated attacker with access to the Aggiornamenti module can execute arbitrary SQL statements including CREATE, DROP, ALTER, INSERT, UPDATE, DELETE, SELECT INTO OUTFILE, and any other SQL command supported by the MySQL server. Foreign key checks are explicitly disabled before execution (SET FOREIGN_KEY_CHECKS=0), further reducing database integrity protections. This issue has been patched in version 2.10.2."}], "id": "CVE-2026-35168", "lastModified": "2026-04-07T18:30:59.500", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-02T14:16:31.543", "references": [{"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/devcode-it/openstamanager/commit/43970676bcd6636ff8663652fd82579f737abb74"}, {"source": "security-advisories@github.com", "tags": ["Product", "Release Notes"], "url": "https://github.com/devcode-it/openstamanager/releases/tag/v2.10.2"}, {"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-2fr7-cc4f-wh98"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-2fr7-cc4f-wh98"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.10.2)"}}], "enrichment": {"confidence": 94.0, "confidence_source": "matching", "scores": [{"score": 94.0, "source": "matching"}]}, "original": {"product": "openstamanager", "source": "cna", "vendor": "devcode-it"}, "product": "openstamanager", "vendor": "devcode"}], "analysis": {"en": {"generated_at": "2026-04-07T21:44:16.093028+00:00", "value": {"mitigation_remediation": ["Upgrade to OpenSTAManager 2.10.2 or later to remove the vulnerability.", "Limit use of the Aggiornamenti module to trusted administrators only if a patch can not be applied immediately.", "After applying the patch, audit database logs for suspicious activity and restore affected data if necessary."], "summary": {"action": "Immediate Patch", "impact": "SQL Injection enabling arbitrary database manipulation"}, "threat_synthesis": {"affected_systems": "The vulnerability affects the OpenSTAManager product by devcode-it, specifically all releases prior to version 2.10.2. Users running those earlier versions with the Aggiornamenti module enabled are exposed.", "description_and_impact": "A flaw in the Aggiornamenti module of OpenSTAManager permits an authenticated user to submit a JSON array of raw SQL statements that are executed directly against the MySQL database without any validation or sanitization. This allows the attacker to perform CREATE, DROP, ALTER, INSERT, UPDATE, DELETE, or even SELECT INTO OUTFILE commands, effectively giving them full SQL injection capabilities and the ability to disable foreign key checks before execution, further undermining database integrity.", "risk_and_exploitability": "The issue has a CVSS score of 8.8 and an EPSS score of less than 1%, indicating high severity but a low probability of exploitation in the wild. It is not listed in CISA\u2019s KEV catalog. Exploitation requires authentication and access to the Aggiornamenti module; once reached, the attacker can execute arbitrary SQL and exfiltrate data or alter the database structure."}}}}, "created": "2026-04-02T20:12:28.597459+00:00", "updated": "2026-04-08T19:56:29.331803+00:00", "vendors": ["devcode", "devcode$PRODUCT$openstamanager"]}