Arbitrary File Upload Vulnerability in OpenSTAManager by DevCode-it
CVE-2026-38751

7.2HIGH

Key Information:

Vendor: DevCode-it
Status: OpenSTAManager
Vendor: CVE Published:; 4 May 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2026-38751?

OpenSTAManager versions up to and including 2.10 contain a vulnerability that allows an attacker to upload arbitrary files via the module update functionality. This flaw exists in the 'upload_modules.php' script, which does not adequately validate file uploads, potentially enabling unauthorized access or modifications to the server. Developers using this software should act swiftly to mitigate the risks associated with this vulnerability.

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

OpenSTAManager-RCE-Exploit-CVE-2026-38751
Created by b0ySie7e

References

https://github.com/devcode-it/openstamanager

https://github.com/fuutianyii/poc

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
Jun 28, 2026
👾
Exploit known to exist
Jun 28, 2026
Vulnerability published
May 4, 2026
Vulnerability Reserved
Apr 6, 2026

CVE-2026-38751 Data

JSON