SQL Injection Vulnerability in OpenSTAManager Software
CVE-2026-35470

8.8HIGH

Key Information:

Vendor: Devcode-it
Status: Openstamanager
Vendor: CVE Published:; 6 April 2026

What is CVE-2026-35470?

OpenSTAManager, an open-source management software for technical assistance and invoicing, has a significant security flaw in its handling of user inputs. Specifically, before version 2.10.2, the software's confronta_righe.php files do not adequately sanitize input parameters, leading to an SQL injection vulnerability. An authenticated attacker can manipulate the righe parameter sent through the $_GET method to inject malicious SQL commands. This could allow unauthorized access to sensitive information such as user credentials, customer details, invoice records, and more, thereby exposing organizations to serious security risks. The issue has been remediated in version 2.10.2.

Affected Version(s)

openstamanager < 2.10.2

References

https://github.com/devcode-it/openstamanager/security/adv...

x_refsource_CONFIRM

https://github.com/devcode-it/openstamanager/releases/tag...

x_refsource_MISC

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 6, 2026
Vulnerability Reserved
Apr 2, 2026

CVE-2026-35470 Data

JSON

Devcode-it

What is CVE-2026-35470?

Affected Version(s)

References

CVSS V3.1

Timeline