Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-35470

CVE-2026-35470: OpenSTAManager SQL Injection Vulnerability

CVE-2026-35470 is an SQL injection flaw in OpenSTAManager that allows authenticated attackers to extract sensitive database information. This post covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-35470 Overview

CVE-2026-35470 is a SQL Injection vulnerability affecting OpenSTAManager, an open source management software for technical assistance and invoicing. Prior to version 2.10.2, the confronta_righe.php files across different modules contain a critical SQL Injection vulnerability where the righe parameter received via $_GET['righe'] is directly concatenated into an SQL query without any sanitization, parameterization, or validation.

Critical Impact

An authenticated attacker can inject arbitrary SQL statements to extract sensitive data from the database, including user credentials, customer information, invoice data, and any other stored data.

Affected Products

  • OpenSTAManager versions prior to 2.10.2
  • Multiple modules containing confronta_righe.php files

Discovery Timeline

  • April 6, 2026 - CVE-2026-35470 published to NVD
  • April 7, 2026 - Last updated in NVD database

Technical Details for CVE-2026-35470

Vulnerability Analysis

This SQL Injection vulnerability (CWE-89) exists in the confronta_righe.php files found across multiple modules within OpenSTAManager. The vulnerability is classified as a network-accessible attack that requires low-privilege authentication to exploit. Once authenticated, an attacker can leverage this flaw to manipulate database queries and access or modify sensitive information stored in the application's database.

The impact of successful exploitation is severe, potentially compromising the confidentiality, integrity, and availability of all data managed by the application. This includes but is not limited to user credentials, customer personal information, invoice records, and business-critical financial data.

Root Cause

The root cause of this vulnerability is improper input handling in the affected PHP files. The righe parameter from user input ($_GET['righe']) is directly concatenated into SQL queries without implementing proper security controls such as:

  • Input sanitization or filtering
  • Parameterized queries (prepared statements)
  • Input validation against expected data types or patterns

This coding practice violates secure development principles and leaves the application vulnerable to SQL Injection attacks.

Attack Vector

The attack vector is network-based, requiring an authenticated user session. An attacker with valid credentials can manipulate the righe GET parameter in HTTP requests to inject malicious SQL statements. The injected SQL code is then executed by the database server with the same privileges as the application's database connection.

The attacker can craft malicious requests to:

  • Extract sensitive data using UNION-based or error-based SQL injection techniques
  • Bypass authentication or authorization controls
  • Modify or delete database records
  • Potentially escalate privileges within the database system

For technical details and proof of concept information, refer to the GitHub Security Advisory GHSA-mmm5-3g4x-qw39.

Detection Methods for CVE-2026-35470

Indicators of Compromise

  • Unusual or malformed requests to confronta_righe.php endpoints containing SQL syntax characters (e.g., single quotes, UNION, SELECT, OR statements)
  • Database error messages appearing in application logs or responses
  • Unexpected data access patterns or bulk data retrieval from the database
  • Authentication anomalies or privilege escalation events following normal user sessions

Detection Strategies

  • Implement web application firewall (WAF) rules to detect and block SQL injection patterns in the righe parameter
  • Monitor application logs for requests containing SQL injection payloads targeting confronta_righe.php files
  • Deploy database activity monitoring to detect anomalous query patterns or unauthorized data access
  • Use intrusion detection systems (IDS) with signatures for common SQL injection attack patterns

Monitoring Recommendations

  • Enable detailed logging for all requests to OpenSTAManager modules, particularly those involving confronta_righe.php
  • Configure alerts for database queries that deviate from expected application behavior
  • Monitor for failed SQL queries that may indicate injection attempts being blocked or failing
  • Review authentication logs for unusual session activity following normal login patterns

How to Mitigate CVE-2026-35470

Immediate Actions Required

  • Upgrade OpenSTAManager to version 2.10.2 or later immediately
  • Review database logs for any evidence of prior exploitation
  • Audit user accounts for unauthorized access or privilege changes
  • Consider rotating database credentials if exploitation is suspected

Patch Information

The vulnerability is fixed in OpenSTAManager version 2.10.2. The patch is available via the official release on GitHub: GitHub Release v2.10.2. Organizations should update to this version as soon as possible to remediate the vulnerability.

For additional details about the security fix, refer to the GitHub Security Advisory GHSA-mmm5-3g4x-qw39.

Workarounds

  • Implement a web application firewall (WAF) to filter and block SQL injection patterns in incoming requests
  • Restrict network access to OpenSTAManager to trusted IP ranges or VPN-connected users only
  • Apply the principle of least privilege to the database account used by OpenSTAManager
  • Temporarily disable or restrict access to affected modules until patching is complete
  • Enable database query auditing to detect and respond to exploitation attempts

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.