CVE-2026-38751
Analyzed Analyzed - Analysis Complete
Arbitrary File Upload in OpenSTAManager

Publication date: 2026-05-04

Last updated on: 2026-05-29

Assigner: MITRE

Description
OpenSTAManager version 2.10 and earlier contains an arbitrary file upload vulnerability in the module update functionality (modules/aggiornamenti/upload_modules.php)
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-04
Last Modified
2026-05-29
Generated
2026-06-16
AI Q&A
2026-05-05
EPSS Evaluated
2026-06-14
NVD
CVE-2026-38751
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
devcode openstamanager to 2.10 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-434 The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in OpenSTAManager version 2.10 and earlier. It is an arbitrary file upload vulnerability located in the module update functionality, specifically in the file modules/aggiornamenti/upload_modules.php.

Impact Analysis

An arbitrary file upload vulnerability can allow an attacker to upload malicious files to the affected system. This could lead to unauthorized code execution, data compromise, or system takeover depending on the nature of the uploaded files and the system's configuration.

Compliance Impact

The CVE description indicates that OpenSTAManager version 2.10 and earlier contains an arbitrary file upload vulnerability with high impact on confidentiality, integrity, and availability (CVSS 7.2). Such a vulnerability could potentially allow unauthorized access or modification of sensitive data.

However, there is no specific information provided in the context or resources about how this vulnerability directly affects compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability exists in OpenSTAManager version 2.10 and earlier, specifically in the module update functionality at modules/aggiornamenti/upload_modules.php. Detection would involve checking if your system is running a vulnerable version of OpenSTAManager and if the vulnerable upload_modules.php endpoint is accessible.

While no explicit detection commands are provided, you can verify the version of OpenSTAManager installed on your system by checking the application version or inspecting the file path mentioned.

Additionally, you may monitor network traffic for suspicious POST requests to the URL path /modules/aggiornamenti/upload_modules.php, which could indicate exploitation attempts.

For more technical details or proof-of-concept code that might assist in detection, you can refer to the GitHub repository containing a PoC for CVE-2026-38751.

Mitigation Strategies

Immediate mitigation steps include upgrading OpenSTAManager to a version later than 2.10 where this arbitrary file upload vulnerability is fixed.

If an upgrade is not immediately possible, restrict access to the vulnerable module update functionality (modules/aggiornamenti/upload_modules.php) by applying network-level controls such as firewall rules or web server access restrictions.

Monitor logs for any suspicious activity targeting the upload_modules.php endpoint and consider disabling module uploads temporarily if feasible.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-38751. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart