CVE-2026-35470
Received Received - Intake
SQL Injection in OpenSTAManager confronta_righe.php Allows Data Theft

Publication date: 2026-04-06

Last updated on: 2026-04-14

Assigner: GitHub, Inc.

Description
OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to 2.10.2, confronta_righe.php files across different modules in OpenSTAManager contain an SQL Injection vulnerability. The righe parameter received via $_GET['righe'] is directly concatenated into an SQL query without any sanitization, parameterization or validation. An authenticated attacker can inject arbitrary SQL statements to extract sensitive data from the database, including user credentials, customer information, invoice data and any other stored data. This vulnerability is fixed in 2.10.2.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-06
Last Modified
2026-04-14
Generated
2026-06-16
AI Q&A
2026-04-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-35470
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
devcode openstamanager to 2.10.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The SQL Injection vulnerability in OpenSTAManager allows an authenticated attacker to extract sensitive data such as user credentials, customer information, invoice data, and other stored data. This exposure of sensitive personal and financial information can lead to non-compliance with data protection regulations like GDPR and HIPAA, which require the protection of personal and sensitive data against unauthorized access and breaches.

Additionally, the vulnerability permits modification and deletion of data, impacting data integrity and availability, which are critical aspects of compliance with these standards.

Therefore, exploitation of this vulnerability could result in violations of confidentiality, integrity, and availability requirements mandated by common standards and regulations.

Executive Summary

CVE-2026-35470 is a high-severity SQL Injection vulnerability in OpenSTAManager versions up to 2.10.1. It affects six different confronta_righe.php files across various modules. The vulnerability arises because the righe parameter, received via $_GET['righe'], is directly concatenated into an SQL query without any sanitization, parameterization, or validation.

This allows an authenticated attacker with access to the modules to inject arbitrary SQL statements. The injection occurs specifically in an SQL IN() clause, enabling the attacker to extract sensitive data such as user credentials, customer information, invoices, contracts, and other stored data.

Additionally, the attacker can modify data (INSERT/UPDATE/DELETE) and potentially delete or corrupt database tables, impacting the confidentiality, integrity, and availability of the system.

Impact Analysis

This vulnerability can have severe impacts including:

  • Confidentiality: An attacker can extract full database data including sensitive credentials such as bcrypt-hashed passwords.
  • Integrity: The attacker can modify data by injecting SQL queries, potentially altering or corrupting important information.
  • Availability: The attacker can delete or corrupt critical database tables, causing denial of service or data loss.
Detection Guidance

This vulnerability can be detected by identifying if your OpenSTAManager installation is running a vulnerable version (prior to 2.10.2) and if the `confronta_righe.php` files in the modules `fatture`, `interventi`, `preventivi`, `ordini`, `ddt`, and `contratti` are present and accessible.

Detection can involve checking for suspicious HTTP GET requests containing the `righe` parameter with SQL injection payloads targeting these PHP files.

Example commands to detect potential exploitation attempts include using network monitoring or web server logs to search for requests with SQL injection patterns in the `righe` parameter, such as:

  • Using grep on web server logs to find suspicious requests: `grep -i "righe=.*(select|extractvalue|union|sleep)" /var/log/apache2/access.log`
  • Using curl to test the vulnerability manually by injecting SQL payloads into the `righe` parameter, for example: `curl "http://yourserver/modules/interventi/modals/confronta_righe.php?righe=1) AND EXTRACTVALUE(1, CONCAT(0x7e,(SELECT database()),0x7e))-- -"`

Additionally, reviewing the source code for direct concatenation of the `righe` parameter into SQL queries without sanitization can confirm the presence of the vulnerability.

Mitigation Strategies

Immediate mitigation steps include:

  • Restrict access to the affected `confronta_righe.php` files and modules to only trusted authenticated users to reduce the attack surface.
  • Implement input validation and sanitization on the `righe` parameter to prevent SQL injection.
  • Apply the recommended code fix by replacing direct concatenation of the `righe` parameter with parameterized queries using prepared statements. For example, convert the vulnerable code to use integer casting and placeholders as follows:

```php $righe_ids = array_map('intval', explode(',', $_GET['righe'] ?? '')); $placeholders = implode(',', array_fill(0, count($righe_ids), '?')); $righe = $dbo->fetchArray('SELECT ... WHERE id IN (' . $placeholders . ')', $righe_ids); ```

  • Update OpenSTAManager to version 2.10.2 or later once available, as this version contains the official fix.
  • Monitor logs for suspicious activity and consider temporarily disabling or restricting the vulnerable modules if immediate patching is not possible.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-35470. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart