Zero Day MonitorZDM

← Back to list

7.2

CVE-2026-29782PATCHED

composer · devcode-it/openstamanager

OpenSTAManager: Remote Code Execution via Insecure Deserialization in OAuth2

Description

OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.10.2, the oauth2.php file in OpenSTAManager is an unauthenticated endpoint ($skip_permissions = true). It loads a record from the zz_oauth2 table using the attacker-controlled GET parameter state, and during the OAuth2 configuration flow calls unserialize() on the access_token field without any class restriction. This issue has been patched in version 2.10.2.

Affected Products

Vendor	Product	Versions
composer	devcode-it/openstamanager	composer/devcode-it/openstamanager: <= 2.10.1

References

https://github.com/devcode-it/openstamanager/security/advisories/GHSA-whv5-4q2f-q68g(x_refsource_CONFIRM)
https://github.com/devcode-it/openstamanager/commit/d2e38cbdf91a831cefc0da1548e02b297ae644cc(x_refsource_MISC)
https://github.com/devcode-it/openstamanager/releases/tag/v2.10.2(x_refsource_MISC)

Related News (1 articles)

Tier C

VulDB4d ago

CVE-2026-29782 | devcode-it openstamanager up to 2.10.1 oauth2.php unserialize deserialization (GHSA-whv5-4q2f-q68g)

→ No new info (linked only)

CVSS 3.17.2 HIGH

VectorCVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA KEV❌ No

Actively exploited❌ No

Patch available

devcode-it/openstamanager@2.10.2

CWECWE-502

PublishedApr 1, 2026

Last enriched4d agov2

Tags

GHSA-whv5-4q2f-q68gcomposer

Trending Score24

Source articles1

Independent1

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

CRITICALCVE-2026-35470EXP

OpenSTAManager has a SQL Injection via righe Parameter in confronta_righe Modals

HIGHCVE-2026-35181EXP

WWBN AVideo Affected by CSRF on Player Skin Configuration via admin/playerUpdate.json.php

HIGHCVE-2026-35179EXP

WWBN AVideo Unauthenticated Instagram Graph API Proxy via publishInstagram.json.php

NONECVE-2026-34989

CI4MS affected by Profile & User Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS

HIGHCVE-2026-34236

Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. From version 8.0.0 to before version 8.19.0, in applications built with the Auth0 PHP SDK, cookies are encrypted with insufficient

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 1, 2026

Discovered by ZDM

Apr 1, 2026

Updated: affectedVersions, severity

Apr 2, 2026

Patch Available

Apr 3, 2026

Version History

v2

Last enriched 4d ago

v2Tier C4d ago

Updated affected versions to include 2.10.1, changed severity to MEDIUM, and noted that no exploit exists.

affectedVersionsseverity

via VulDB

v15d ago

Initial creation