216.73.217.98

CVE-2026-35470

· Published 06/04/2026 18:16 · Modified 07/04/2026 15:17

Labels: CVE-2026-35470 2026-04-06CVE-2026-35470CWE-89[email protected]

Essential information

Published
06/04/2026 18:16
Modified
07/04/2026 15:17
Author
Creator
CVSS
8.8 HIGH (v3.1)
CISA KEV
No
CWE
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CVSS metrics

Description

OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to 2.10.2, confronta_righe.php files across different modules in OpenSTAManager contain an SQL Injection vulnerability. The righe parameter received via $_GET['righe'] is directly concatenated into an SQL query without any sanitization, parameterization or validation. An authenticated attacker can inject arbitrary SQL statements to extract sensitive data from the database, including user credentials, customer information, invoice data and any other stored data. This vulnerability is fixed in 2.10.2.

NVD status

Status
Undergoing Analysis — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
openstamanager / openstamanager cpe:2.3:a:openstamanager:openstamanager:<2.10.2:*:*:*:*:*:*:*

References