SQL Injection Vulnerability in OpenSTAManager Affected by Database Conflict Resolution Feature
CVE-2026-35168

8.8HIGH

Key Information:

Vendor

Devcode-it

Status
Openstamanager
Vendor
CVE Published:
2 April 2026

What is CVE-2026-35168?

OpenSTAManager, an open-source management software for technical assistance and invoicing, has a security flaw in its Updates module. Prior to version 2.10.2, this module improperly handles JSON arrays of SQL statements sent via POST requests, executing them directly against the database without necessary validation or sanitization. This allows authenticated attackers to run arbitrary SQL commands, including but not limited to CREATE, DROP, ALTER, INSERT, and DELETE, thereby compromising database integrity. The lack of foreign key checks enhances the risk by bypassing essential integrity protections. Users are advised to update to version 2.10.2 to mitigate this vulnerability.

Affected Version(s)

openstamanager < 2.10.2

References

https://github.com/devcode-it/openstamanager/security/adv...
x_refsource_CONFIRM
https://github.com/devcode-it/openstamanager/commit/43970...
x_refsource_MISC
https://github.com/devcode-it/openstamanager/releases/tag...
x_refsource_MISC

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.