Cyber Resilience

CVE-2025-69213

HighPublic PoC

Published: 04 February 2026

Published
04 February 2026
Modified
18 February 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0038 29.8th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-69213 is a high-severity SQL Injection (CWE-89) vulnerability in Devcode Openstamanager. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 29.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-69213 is a SQL injection vulnerability (CWE-89) in OpenSTAManager, an open source management software for technical assistance and invoicing. The flaw affects versions 2.9.8 and prior, specifically in the ajax_complete.php endpoint during the get_sedi operation. Attackers can inject malicious SQL code through the idanagrafica parameter, enabling unauthorized database access.

An authenticated attacker with low privileges (PR:L) can exploit this vulnerability remotely over the network (AV:N) with low attack complexity (AC:L) and without requiring user interaction (UI:N). Exploitation maintains an unchanged scope (S:U) and can result in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H), as reflected in its CVSS 3.1 base score of 8.8.

The primary reference is the GitHub security advisory at https://github.com/devcode-it/openstamanager/security/advisories/GHSA-w995-ff8h-rppg. At the time of publication on 2026-02-04T18:16:07.537, no known patch exists for this vulnerability.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

OpenSTAManager is an open source management software for technical assistance and invoicing. In version 2.9.8 and prior, a SQL Injection vulnerability exists in the ajax_complete.php endpoint when handling the get_sedi operation. An authenticated attacker can inject malicious SQL code through…

more

the idanagrafica parameter, leading to unauthorized database access. At time of publication, no known patch exists.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

SQL injection in a remotely accessible web application endpoint (ajax_complete.php) directly maps to exploitation of public-facing apps for unauthorized DB access.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-35168Same product: Devcode Openstamanager
CVE-2025-69214Same product: Devcode Openstamanager
CVE-2026-28805Same product: Devcode Openstamanager
CVE-2025-69215Same product: Devcode Openstamanager
CVE-2026-35470Same product: Devcode Openstamanager
CVE-2025-69212Same product: Devcode Openstamanager
CVE-2026-29782Same product: Devcode Openstamanager
CVE-2026-27012Same product: Devcode Openstamanager
CVE-2026-24956Shared CWE-89
CVE-2026-33615Shared CWE-89

Affected Assets

devcode
openstamanager
≤ 2.9.8

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents SQL injection by validating and sanitizing the idanagrafica parameter before its use in SQL queries within the ajax_complete.php endpoint.

prevent

Requires timely remediation of the specific SQL injection flaw in OpenSTAManager versions 2.9.8 and prior, including patching when available.

prevent

Enforces restrictions on the idanagrafica input parameter, such as type and length limits, to block malicious SQL code injection.

References