CVE-2026-35168

Source
https://cve.org/CVERecord?id=CVE-2026-35168
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-35168.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-35168
Aliases
Published
2026-04-02T13:48:16.626Z
Modified
2026-07-08T08:12:59.340091326Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
OpenSTAManager: SQL Injection via Aggiornamenti Module
Details

OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.10.2, the Aggiornamenti (Updates) module in OpenSTAManager contains a database conflict resolution feature (op=risolvi-conflitti-database) that accepts a JSON array of SQL statements via POST and executes them directly against the database without any validation, allowlist, or sanitization. An authenticated attacker with access to the Aggiornamenti module can execute arbitrary SQL statements including CREATE, DROP, ALTER, INSERT, UPDATE, DELETE, SELECT INTO OUTFILE, and any other SQL command supported by the MySQL server. Foreign key checks are explicitly disabled before execution (SET FOREIGNKEYCHECKS=0), further reducing database integrity protections. This issue has been patched in version 2.10.2.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/35xxx/CVE-2026-35168.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-89"
    ]
}
References

Affected packages

Git / github.com/devcode-it/openstamanager

Affected ranges

Type
GIT
Repo
https://github.com/devcode-it/openstamanager
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "cpe": "cpe:2.3:a:devcode:openstamanager:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.10.2"
        }
    ],
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ]
}

Affected versions

v2.*
v2.10-beta
v2.10.1
v2.3-beta.1
v2.3-beta.2
v2.4
v2.4.10
v2.4.11
v2.4.12
v2.4.13
v2.4.14
v2.4.16
v2.4.17
v2.4.2
v2.4.20
v2.4.22
v2.4.23
v2.4.24
v2.4.25
v2.4.28
v2.4.3
v2.4.32
v2.4.38
v2.4.4
v2.4.40
v2.4.41
v2.4.42
v2.4.43
v2.4.44
v2.4.47
v2.4.49
v2.4.51
v2.4.53
v2.4.54
v2.4.6
v2.4.8
v2.4.9
v2.5
v2.5.1-beta
v2.5.2-beta
v2.5.3
v2.5.4
v2.5.5
v2.6.1
v2.6.2
v2.9.1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-35168.json"