Zero Day MonitorZDM

← Back to list

8.8

CVE-2026-35470EXPLOITEDPATCHED

composer · devcode-it/openstamanager

OpenSTAManager has a SQL Injection via righe Parameter in confronta_righe Modals

Description

OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to 2.10.2, confronta_righe.php files across different modules in OpenSTAManager contain an SQL Injection vulnerability. The righe parameter received via $_GET['righe'] is directly concatenated into an SQL query without any sanitization, parameterization or validation. An authenticated attacker can inject arbitrary SQL statements to extract sensitive data from the database, including user credentials, customer information, invoice data and any other stored data. This vulnerability is fixed in 2.10.2.

Affected Products

Vendor	Product	Versions
composer	devcode-it/openstamanager	< 2.10.2

References

https://github.com/devcode-it/openstamanager/security/advisories/GHSA-mmm5-3g4x-qw39(x_refsource_CONFIRM)
https://github.com/devcode-it/openstamanager/releases/tag/v2.10.2(x_refsource_MISC)

Related News (1 articles)

Tier C

VulDB3h ago

CVE-2026-35470 | devcode-it openstamanager up to 2.10.1 Customer Information confronta_righe.php righe sql injection (GHSA-mmm5-3g4x-qw39)

→ No new info (linked only)

CVSS 3.18.8 CRITICAL

VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

null

CWECWE-89

PublishedApr 3, 2026

Last enriched2h agov2

Tags

GHSA-mmm5-3g4x-qw39composer

Trending Score49

Source articles1

Independent1

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (5)

HIGHCVE-2026-35181EXP

WWBN AVideo Affected by CSRF on Player Skin Configuration via admin/playerUpdate.json.php

HIGHCVE-2026-35179EXP

WWBN AVideo Unauthenticated Instagram Graph API Proxy via publishInstagram.json.php

HIGHCVE-2026-29782

OpenSTAManager: Remote Code Execution via Insecure Deserialization in OAuth2

NONECVE-2026-34989

CI4MS affected by Profile & User Management Full Account Takeover for All-Roles & Privilege-Escalation via Stored DOM XSS

HIGHCVE-2026-34236

Auth0-PHP is a PHP SDK for Auth0 Authentication and Management APIs. From version 8.0.0 to before version 8.19.0, in applications built with the Auth0 PHP SDK, cookies are encrypted with insufficient

Pin to Dashboard

Verification

State: unverified

Confidence: 0%

Vulnerability Timeline

CVE Published

Apr 3, 2026

Discovered by ZDM

Apr 3, 2026

Actively Exploited

Apr 6, 2026

Patch Available

Apr 6, 2026

Updated: severity, activelyExploited, patchAvailable

Apr 6, 2026

Version History

v2

Last enriched 2h ago

v2Tier C2h ago

Updated severity to CRITICAL, marked as actively exploited, and noted that no exploit is available.

severityactivelyExploitedpatchAvailable

via VulDB

v12d ago

Initial creation