OpenSTAManager SQL Injection (CVE-2026-28805)

Overview

A high-severity SQL injection vulnerability, tracked as CVE-2026-28805, affects OpenSTAManager, an open-source platform for technical assistance and invoicing. The flaw exists in multiple AJAX select handlers and allows authenticated attackers to execute arbitrary SQL commands on the underlying MySQL database.

Vulnerability Details

In versions prior to 2.10.2, the software fails to properly sanitize user input passed through the options[stato] GET parameter. This input is read directly into a variable and then concatenated, without any filtering, into SQL WHERE clauses. This creates a classic SQL injection condition. Because the vulnerability is “blind,” an attacker can infer query results by observing timing delays in the application’s responses, allowing them to systematically extract data.

Impact and Risks

With a CVSS score of 8.8, this vulnerability poses a significant risk. An attacker with a standard user account can craft malicious requests to read any data within the connected database. This includes highly sensitive information such as administrator usernames and password hashes, client financial records, invoice details, and internal technical assistance tickets. Successful exploitation could lead to a full compromise of business data, financial fraud, and further system access. For context on the damage caused by data theft, recent incidents are detailed in our breach reports.

Remediation and Mitigation

The primary and only complete remediation is to upgrade OpenSTAManager to version 2.10.2 or later immediately. The developers have patched the vulnerability in this release.

Actionable Steps:

1. Upgrade: Identify all instances of OpenSTAManager and upgrade them to version 2.10.2 without delay.
2. Audit Logs: Review application and database logs for any unusual or repeated AJAX requests to select handlers, particularly those containing the options[stato] parameter with unusual values.
3. Principle of Least Privilege: Ensure that all user accounts in the system are assigned only the permissions absolutely necessary for their role to limit the potential of an authenticated attack.

Security Insight

This vulnerability highlights the persistent risk of SQL injection in applications that handle financial and customer data, even with the widespread knowledge of parameterized queries. The flaw’s presence in multiple AJAX handlers suggests a systemic lack of secure coding practices for dynamic queries within the codebase, a pattern often seen in legacy or rapidly developed business software. It serves as a critical reminder for organizations to prioritize software composition analysis and secure development lifecycle training, especially for internally used business tools that may not receive the same security scrutiny as customer-facing applications. Stay informed on similar threats through our security news.

Further Reading

• All High Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs