CVE-2026-35168: OpenSTAManager: SQL Injection via Aggiornamenti Module
The Aggiornamenti (Updates) module in OpenSTAManager <= 2.10.1 contains a database conflict resolution feature (op=risolvi-conflitti-database) that accepts a JSON array of SQL statements via POST and executes them directly against the database without any validation, allowlist, or sanitization.
An authenticated attacker with access to the Aggiornamenti module can execute arbitrary SQL statements including CREATE, DROP, ALTER, INSERT, UPDATE, DELETE, SELECT INTO OUTFILE, and any other SQL command supported by the MySQL server. Foreign key checks are explicitly disabled before execution (SET FOREIGN_KEY_CHECKS=0), further reducing database integrity protections.
References
- github.com/advisories/GHSA-2fr7-cc4f-wh98
- github.com/devcode-it/openstamanager
- github.com/devcode-it/openstamanager/commit/43970676bcd6636ff8663652fd82579f737abb74
- github.com/devcode-it/openstamanager/releases/tag/v2.10.2
- github.com/devcode-it/openstamanager/security/advisories/GHSA-2fr7-cc4f-wh98
- nvd.nist.gov/vuln/detail/CVE-2026-35168
Code Behaviors & Features
Detect and mitigate CVE-2026-35168 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →