CVE-2026-35168
Published: 02 April 2026
Summary
CVE-2026-35168 is a high-severity SQL Injection (CWE-89) vulnerability in Devcode Openstamanager. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 25.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly requires remediation of the SQL injection flaw in OpenSTAManager's Aggiornamenti module by patching to version 2.10.2 or later.
Requires validation of the JSON array of SQL statements in POST requests to the database conflict resolution feature, preventing arbitrary SQL execution.
Provides vulnerability scanning to identify the SQL injection vulnerability in the Updates module prior to exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in web application module allows direct execution of arbitrary SQL statements over the network, enabling exploitation of a public-facing application.
NVD Description
OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.10.2, the Aggiornamenti (Updates) module in OpenSTAManager contains a database conflict resolution feature (op=risolvi-conflitti-database) that accepts a JSON array of SQL statements via POST and…
more
executes them directly against the database without any validation, allowlist, or sanitization. An authenticated attacker with access to the Aggiornamenti module can execute arbitrary SQL statements including CREATE, DROP, ALTER, INSERT, UPDATE, DELETE, SELECT INTO OUTFILE, and any other SQL command supported by the MySQL server. Foreign key checks are explicitly disabled before execution (SET FOREIGN_KEY_CHECKS=0), further reducing database integrity protections. This issue has been patched in version 2.10.2.
Deeper analysisAI
CVE-2026-35168 is a SQL injection vulnerability (CWE-89) affecting OpenSTAManager, an open source management software for technical assistance and invoicing, in versions prior to 2.10.2. The issue lies in the Aggiornamenti (Updates) module's database conflict resolution feature (op=risolvi-conflitti-database), which accepts a JSON array of SQL statements via POST requests and executes them directly against the underlying MySQL database without any validation, allowlist, or sanitization. Foreign key checks are explicitly disabled prior to execution via SET FOREIGN_KEY_CHECKS=0, weakening database integrity protections. The vulnerability carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).
An authenticated attacker with access to the Aggiornamenti module can exploit this flaw over the network with low complexity and no user interaction required. By crafting and submitting a malicious JSON payload containing arbitrary SQL statements, the attacker can execute commands such as CREATE, DROP, ALTER, INSERT, UPDATE, DELETE, SELECT INTO OUTFILE, and any other MySQL-supported operations, potentially leading to full database compromise, data exfiltration, modification, or destruction.
The vulnerability has been patched in OpenSTAManager version 2.10.2. Mitigation involves upgrading to this version or later. Relevant resources include the patching commit at https://github.com/devcode-it/openstamanager/commit/43970676bcd6636ff8663652fd82579f737abb74, the release announcement at https://github.com/devcode-it/openstamanager/releases/tag/v2.10.2, and the GitHub security advisory at https://github.com/devcode-it/openstamanager/security/advisories/GHSA-2fr7-cc4f-wh98.
Details
- CWE(s)