OpenSTAManager SQLi (CVE-2026-35470)
CVE-2026-35470
OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to 2.10.2, confronta_righe.php files across different modules in OpenSTAManager contain an SQL Inject...
Overview
A high-severity SQL injection vulnerability, tracked as CVE-2026-35470, affects OpenSTAManager, an open-source platform for technical assistance and invoicing. The flaw exists in multiple confronta_righe.php files and allows an authenticated attacker to execute arbitrary SQL commands on the application’s database.
Technical Details
The vulnerability stems from improper handling of user input. The application uses the righe parameter, passed via the $_GET['righe'] variable, and directly concatenates it into SQL queries without any sanitization, parameterization, or validation. This insecure coding practice creates a classic SQL injection pathway. An attacker with a standard user account can craft malicious requests containing SQL statements.
Impact
Successful exploitation enables an attacker to read, modify, or delete any data within the connected database. This includes highly sensitive information such as:
- User credentials (usernames and password hashes)
- Customer personal and financial data
- Complete invoice and payment records
- Internal technical assistance tickets Such a breach could lead to significant financial fraud, identity theft, and operational disruption. For more on the consequences of data exposure, recent breach reports provide relevant context.
Remediation and Mitigation
The primary and only complete remediation is to upgrade OpenSTAManager to version 2.10.2 or later, which contains the fix for this vulnerability. Administrators should perform this update immediately.
Immediate Action Steps:
- Update: Upgrade all instances of OpenSTAManager to version 2.10.2.
- Audit: Review application and database logs for any suspicious SQL query patterns or unexpected data access attempts prior to the patch.
- Principle of Least Privilege: Ensure database accounts used by the application have only the minimum necessary permissions, which can help limit the damage of a successful injection.
There is no effective workaround for this vulnerability without applying the official patch. Input validation at the application layer would not sufficiently address the root cause; the fix requires proper SQL query parameterization.
Security Insight
This vulnerability highlights the persistent risk of SQL injection in legacy or niche business software, where security practices may lag behind core development. Similar to flaws in other small-project management tools, CVE-2026-35470 underscores that even applications handling sensitive financial data can be built on fragile, concatenated queries. It serves as a reminder for organizations to vet the security posture of all software in their stack, not just major enterprise products. For ongoing coverage of such threats, follow our security news section.
Further Reading
Never miss a critical vulnerability
Get real-time security alerts delivered to your preferred platform.
Related Advisories
SourceCodester Simple Music Cloud Community System v1.0 is vulnerable to SQL Injection in the file /music/view_music.php....
SourceCodester Simple Music Cloud Community System v1.0 is vulnerable to SQL Injection in the file /music/view_playlist.php....
ResourceSpace 8.6 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the 'ref' parameter. Attackers can ...
OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.10.2, multiple AJAX select handlers in OpenSTAManager are vulnerable to Time-Based Blind...