Vulnerability Description
OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to 2.10.2, confronta_righe.php files across different modules in OpenSTAManager contain an SQL Injection vulnerability. The righe parameter received via $_GET['righe'] is directly concatenated into an SQL query without any sanitization, parameterization or validation. An authenticated attacker can inject arbitrary SQL statements to extract sensitive data from the database, including user credentials, customer information, invoice data and any other stored data. This vulnerability is fixed in 2.10.2.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Devcode | Openstamanager | < 2.10.2 |
Related Weaknesses (CWE)
References
- https://github.com/devcode-it/openstamanager/releases/tag/v2.10.2ProductRelease Notes
- https://github.com/devcode-it/openstamanager/security/advisories/GHSA-mmm5-3g4x-ExploitMitigationVendor Advisory
- https://github.com/devcode-it/openstamanager/security/advisories/GHSA-mmm5-3g4x-ExploitMitigationVendor Advisory
FAQ
What is CVE-2026-35470?
CVE-2026-35470 is a vulnerability with a CVSS score of 8.8 (HIGH). OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to 2.10.2, confronta_righe.php files across different modules in OpenSTAManager contain an SQL Inject...
How severe is CVE-2026-35470?
CVE-2026-35470 has been rated HIGH with a CVSS base score of 8.8/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-35470?
Check the references section above for vendor advisories and patch information. Affected products include: Devcode Openstamanager.