CVE-2026-28805
Published: 02 April 2026
Summary
CVE-2026-28805 is a high-severity SQL Injection (CWE-89) vulnerability in Devcode Openstamanager. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 12.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly mitigates the SQL injection vulnerability by requiring validation and sanitization of the untrusted options[stato] GET parameter before concatenation into SQL WHERE clauses.
Prevents injection of arbitrary SQL by restricting the options[stato] parameter to an allowlist of valid values, addressing the lack of validation exploited in time-based blind SQLi.
Requires timely remediation of the identified SQL injection flaw through patching to OpenSTAManager version 2.10.2.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in network-accessible AJAX handlers of web app directly enables remote exploitation of the application (T1190) and arbitrary queries against the backend database for data collection (T1213.006).
NVD Description
OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.10.2, multiple AJAX select handlers in OpenSTAManager are vulnerable to Time-Based Blind SQL Injection through the options[stato] GET parameter. The user-supplied value is read from…
more
$superselect['stato'] and concatenated directly into SQL WHERE clauses as a bare expression, without any sanitization, parameterization, or allowlist validation. An authenticated attacker can inject arbitrary SQL statements to extract sensitive data from the database, including usernames, password hashes, financial records, and any other information stored in the MySQL database. This issue has been patched in version 2.10.2.
Deeper analysisAI
CVE-2026-28805 is a Time-Based Blind SQL Injection vulnerability in OpenSTAManager, an open source management software for technical assistance and invoicing, affecting versions prior to 2.10.2. The flaw exists in multiple AJAX select handlers, where the user-supplied value from the options[stato] GET parameter is read from $superselect['stato'] and directly concatenated into SQL WHERE clauses without sanitization, parameterization, or allowlist validation. This enables injection of arbitrary SQL statements into the MySQL database. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-89.
An authenticated attacker with low privileges can exploit this vulnerability remotely over the network with low attack complexity and no user interaction. By crafting malicious payloads in the options[stato] parameter, the attacker can execute time-based blind SQL injection techniques to extract sensitive data from the database, including usernames, password hashes, financial records, and any other information stored in the MySQL backend.
The vulnerability has been patched in OpenSTAManager version 2.10.2. Mitigation details are provided in the GitHub security advisory at GHSA-3gw8-3mg3-jmpc, the release notes for v2.10.2, and the patching commits 50b9089c506ba2ca249afb1dfead2af5d42c10e7 and 679c40fa5b3acad4263b537f367c0695ff9666dc. Security practitioners should upgrade to the fixed version and review access controls for AJAX endpoints.
Details
- CWE(s)