CVE-2026-38751
Arbitrary File Upload in OpenSTAManager
Publication date: 2026-05-04
Last updated on: 2026-05-05
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openstamanager | openstamanager | to 2.10 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-434 | The product allows the upload or transfer of dangerous file types that are automatically processed within its environment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in OpenSTAManager version 2.10 and earlier. It is an arbitrary file upload vulnerability located in the module update functionality, specifically in the file modules/aggiornamenti/upload_modules.php.
How can this vulnerability impact me? :
An arbitrary file upload vulnerability can allow an attacker to upload malicious files to the affected system. This could lead to unauthorized code execution, data compromise, or system takeover depending on the nature of the uploaded files and the system's configuration.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The CVE description indicates that OpenSTAManager version 2.10 and earlier contains an arbitrary file upload vulnerability with high impact on confidentiality, integrity, and availability (CVSS 7.2). Such a vulnerability could potentially allow unauthorized access or modification of sensitive data.
However, there is no specific information provided in the context or resources about how this vulnerability directly affects compliance with common standards and regulations such as GDPR or HIPAA.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability exists in OpenSTAManager version 2.10 and earlier, specifically in the module update functionality at modules/aggiornamenti/upload_modules.php. Detection would involve checking if your system is running a vulnerable version of OpenSTAManager and if the vulnerable upload_modules.php endpoint is accessible.
While no explicit detection commands are provided, you can verify the version of OpenSTAManager installed on your system by checking the application version or inspecting the file path mentioned.
Additionally, you may monitor network traffic for suspicious POST requests to the URL path /modules/aggiornamenti/upload_modules.php, which could indicate exploitation attempts.
For more technical details or proof-of-concept code that might assist in detection, you can refer to the GitHub repository containing a PoC for CVE-2026-38751.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading OpenSTAManager to a version later than 2.10 where this arbitrary file upload vulnerability is fixed.
If an upgrade is not immediately possible, restrict access to the vulnerable module update functionality (modules/aggiornamenti/upload_modules.php) by applying network-level controls such as firewall rules or web server access restrictions.
Monitor logs for any suspicious activity targeting the upload_modules.php endpoint and consider disabling module uploads temporarily if feasible.