CVE-2026-35168
SQL Injection in OpenSTAManager Updates Module Enables Arbitrary DB Access
Publication date: 2026-04-02
Last updated on: 2026-04-07
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| devcode | openstamanager | to 2.10.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-89 | The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can have severe impacts including:
- Confidentiality: An attacker can exfiltrate the entire database, including sensitive credentials, personal data, financial information, and secrets.
- Integrity: The attacker can modify database contents arbitrarily, such as creating unauthorized admin accounts, altering records, or planting backdoors.
- Availability: The attacker can disrupt service by dropping critical tables, corrupting data, or running resource-intensive queries causing denial of service.
- Potential Remote Code Execution: Depending on the MySQL server configuration, further exploitation beyond SQL injection may be possible.
Can you explain this vulnerability to me?
CVE-2026-35168 is a critical SQL Injection vulnerability in the Aggiornamenti (Updates) module of OpenSTAManager versions up to 2.10.1. The vulnerability exists because the module accepts a JSON array of SQL statements via a POST request and executes them directly on the MySQL database without any validation, filtering, or allowlisting.
An authenticated attacker with access to this module can send arbitrary SQL commands such as CREATE, DROP, ALTER, INSERT, UPDATE, DELETE, and SELECT INTO OUTFILE. The module disables foreign key checks before execution, which further weakens database integrity protections.
This means an attacker can fully control the database by executing any SQL commands, potentially leading to data theft, data manipulation, or destruction.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for POST requests to the Aggiornamenti module endpoint that include the operation parameter `op=risolvi-conflitti-database` and contain a JSON array of SQL statements in the `queries` parameter. Such requests indicate attempts to execute arbitrary SQL commands.
Detection commands could include inspecting web server logs or using network monitoring tools to filter HTTP POST requests targeting `/editor.php?id_module=6&id_record=6` (default module ID) with the specific POST parameter `op=risolvi-conflitti-database`.
- Example command to search web server logs for suspicious POST requests: `grep -i 'op=risolvi-conflitti-database' /var/log/apache2/access.log`
- Using curl to test if the endpoint is accessible and vulnerable (requires authentication): `curl -X POST -d 'op=risolvi-conflitti-database&queries=["SELECT 1"]' https://target/editor.php?id_module=6&id_record=6 -b cookies.txt`
Additionally, monitoring for error messages leaking detailed database exceptions in HTTP responses from this module can help identify exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade OpenSTAManager to version 2.10.2 or later, where the vulnerability has been patched by implementing strict whitelist-based validation of SQL queries.
If upgrading immediately is not possible, restrict access to the Aggiornamenti module to only trusted and necessary users, as exploitation requires authenticated access with read-write permissions.
Monitor and block any POST requests containing the `op=risolvi-conflitti-database` operation parameter to prevent execution of arbitrary SQL commands.
Review and harden authentication and authorization controls to ensure only authorized administrators can access the vulnerable module.
Apply network-level protections such as web application firewalls (WAFs) to detect and block suspicious SQL injection attempts targeting this endpoint.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an authenticated attacker to execute arbitrary SQL commands on the OpenSTAManager database without validation or restrictions, leading to complete compromise of confidentiality, integrity, and availability of sensitive data.
Such a compromise can result in unauthorized access to personal data, financial information, and credentials stored in the database, which directly impacts compliance with data protection regulations like GDPR and HIPAA that require safeguarding sensitive information against unauthorized access and breaches.
The ability to exfiltrate, modify, or delete sensitive data violates core principles of these standards, potentially leading to legal and regulatory consequences for organizations using vulnerable versions of OpenSTAManager.