DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-35168: CVE-2026-35168: Authenticated Remote Code Execution via SQL Injection in OpenSTAManager Aggiornamenti Module

#security #cve #cybersecurity

CVE-2026-35168: Authenticated Remote Code Execution via SQL Injection in OpenSTAManager Aggiornamenti Module

Vulnerability ID: CVE-2026-35168
CVSS Score: 8.8
Published: 2026-04-03

OpenSTAManager versions prior to 2.10.2 contain a high-severity SQL Injection vulnerability in the Aggiornamenti module. The application accepts raw SQL statements in JSON format and executes them directly against the database without validation. This flaw enables authenticated attackers to modify database schemas, exfiltrate data, and potentially achieve remote code execution depending on database configuration.

TL;DR

A critical SQL injection flaw in OpenSTAManager < 2.10.2 allows authenticated users to execute arbitrary SQL commands via the database conflict resolution feature. The application temporarily disables foreign key checks and runs user-provided queries directly.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-89
  • Attack Vector: Network
  • CVSS v3.1: 8.8 (High)
  • Privileges Required: Low (Authenticated)
  • Impact: High Confidentiality, Integrity, Availability
  • Exploit Status: Proof of Concept Available

Affected Systems

  • OpenSTAManager Aggiornamenti Module (modules/aggiornamenti/actions.php)
  • Underlying MySQL/MariaDB Database
  • openstamanager: < 2.10.2 (Fixed in: 2.10.2)

Code Analysis

Commit: 4397067

Fix SQL injection vulnerability in database conflict resolution module by introducing regex allowlist

Mitigation Strategies

  • Software Patching
  • Database Privilege Reduction
  • Web Application Firewall (WAF) Deployment

Remediation Steps:

  1. Create a full backup of the OpenSTAManager application and database.
  2. Upgrade the OpenSTAManager installation to version 2.10.2 or higher.
  3. Review the database user privileges. Revoke FILE, DROP, and ALTER privileges if they are not strictly required for daily operation.
  4. Implement WAF rules to inspect JSON payloads on the modules/aggiornamenti/actions.php endpoint.

References

Read the full report for CVE-2026-35168 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)