CVE-2026-35470Devcode · Openstamanager
Vulnerability data via NVD (ingested)
OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to 2.10.2, confronta_righe.php files across different modules in OpenSTAManager contain an SQL Injection vulnerability. The righe parameter received via $_GET['righe'] is directly concatenated into an SQL query without any sanitization, parameterization or validation. An authenticated attacker can inject arbitrary SQL statements to extract sensitive data from the database, including user credentials, customer information, invoice data and any other stored data. This vulnerability is fixed in 2.10.2.
External references
Search for exposed instances
Shodan + Censys queries derived from NVD's CPE data. The vuln tag catches assets Shodan has explicitly linked to this CVE; the product / banner fingerprints find exposed instances even when the vuln tag was never applied (which is common).
vuln:CVE-2026-35470product:"Devcode Openstamanager"http.html:"Openstamanager"More intel sources (5)
vuln:CVE-2026-35470vulnerabilities.cve_id: CVE-2026-35470CVE-2026-35470CVE-2026-35470"CVE-2026-35470" exploit -site:nvd.nist.gov