CVE-2026-35470

Source
https://cve.org/CVERecord?id=CVE-2026-35470
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-35470.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-35470
Aliases
Published
2026-04-06T17:40:32.973Z
Modified
2026-07-08T08:12:58.287605704Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
OpenSTAManager has a SQL Injection via righe Parameter in confronta_righe Modals
Details

OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to 2.10.2, confronta_righe.php files across different modules in OpenSTAManager contain an SQL Injection vulnerability. The righe parameter received via $_GET['righe'] is directly concatenated into an SQL query without any sanitization, parameterization or validation. An authenticated attacker can inject arbitrary SQL statements to extract sensitive data from the database, including user credentials, customer information, invoice data and any other stored data. This vulnerability is fixed in 2.10.2.

Database specific
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-89"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/35xxx/CVE-2026-35470.json"
}
References

Affected packages

Git / github.com/devcode-it/openstamanager

Affected ranges

Type
GIT
Repo
https://github.com/devcode-it/openstamanager
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.10.2"
        }
    ],
    "cpe": "cpe:2.3:a:devcode:openstamanager:*:*:*:*:*:*:*:*",
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE",
        "REFERENCES"
    ]
}

Affected versions

v2.*
v2.10-beta
v2.10.1
v2.3-beta.1
v2.3-beta.2
v2.4
v2.4.10
v2.4.11
v2.4.12
v2.4.13
v2.4.14
v2.4.16
v2.4.17
v2.4.2
v2.4.20
v2.4.22
v2.4.23
v2.4.24
v2.4.25
v2.4.28
v2.4.3
v2.4.32
v2.4.38
v2.4.4
v2.4.40
v2.4.41
v2.4.42
v2.4.43
v2.4.44
v2.4.47
v2.4.49
v2.4.51
v2.4.53
v2.4.54
v2.4.6
v2.4.8
v2.4.9
v2.5
v2.5.1-beta
v2.5.2-beta
v2.5.3
v2.5.4
v2.5.5
v2.6.1
v2.6.2
v2.9.1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-35470.json"