CVE-2026-35168

Name of the Vulnerable Software and Affected Versions OpenSTAManager versions prior to 2.10.2

Description The OpenSTAManager software contains a flaw in the Aggiornamenti (Updates) module. This module includes a database conflict resolution feature that accepts a JSON array of SQL statements via POST requests to the op=risolvi-conflitti-database endpoint and executes them directly against the database without validation or sanitization. An authenticated attacker with access to the Aggiornamenti module can execute arbitrary SQL statements, including commands like CREATE, DROP, ALTER, INSERT, UPDATE, DELETE, and SELECT INTO OUTFILE. Foreign key checks are disabled before execution, reducing database integrity protections.

Recommendations Update OpenSTAManager to version 2.10.2 or later.