CVE-2026-35470
Published: 06 April 2026
Summary
CVE-2026-35470 is a high-severity SQL Injection (CWE-89) vulnerability in Devcode Openstamanager. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 2.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 directly prevents SQL injection by requiring validation, sanitization, or parameterization of untrusted inputs like the 'righe' parameter before inclusion in SQL queries.
SI-2 mandates timely flaw remediation, such as patching OpenSTAManager to version 2.10.2, to eliminate the SQL injection vulnerability.
RA-5 employs vulnerability scanning to identify SQL injection flaws like CVE-2026-35470 in the confronta_righe.php files prior to exploitation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
SQL injection in web app enables remote exploitation of public-facing application (T1190) and arbitrary database queries for data collection (T1213.006).
NVD Description
OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to 2.10.2, confronta_righe.php files across different modules in OpenSTAManager contain an SQL Injection vulnerability. The righe parameter received via $_GET['righe'] is directly concatenated into an SQL query…
more
without any sanitization, parameterization or validation. An authenticated attacker can inject arbitrary SQL statements to extract sensitive data from the database, including user credentials, customer information, invoice data and any other stored data. This vulnerability is fixed in 2.10.2.
Deeper analysisAI
CVE-2026-35470 is an SQL injection vulnerability (CWE-89) affecting OpenSTAManager, an open-source management software for technical assistance and invoicing, in versions prior to 2.10.2. The issue resides in confronta_righe.php files across various modules, where the 'righe' parameter received via $_GET['righe'] is directly concatenated into an SQL query without sanitization, parameterization, or validation. This flaw has a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for confidentially, integrity, and availability impacts.
An authenticated attacker with low privileges can exploit this vulnerability remotely over the network with low complexity and no user interaction required. By crafting malicious input for the 'righe' parameter, they can inject arbitrary SQL statements, enabling extraction of sensitive data from the database, such as user credentials, customer information, invoice data, and other stored records. The high impact scores suggest possibilities for data modification or deletion as well.
The vulnerability is addressed in OpenSTAManager version 2.10.2, as detailed in the project's GitHub release notes and security advisory (GHSA-mmm5-3g4x-qw39). Security practitioners should prioritize upgrading affected instances to the patched version to mitigate the risk.
Details
- CWE(s)