CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



CVE-2026-35168

CVE-2026-35168: Authenticated Remote Code Execution via SQL Injection in OpenSTAManager Aggiornamenti Module

Alon Barad
Alon Barad
Software Engineer

Apr 3, 2026·5 min read·71 visits

Executive Summary (TL;DR)

A critical SQL injection flaw in OpenSTAManager < 2.10.2 allows authenticated users to execute arbitrary SQL commands via the database conflict resolution feature. The application temporarily disables foreign key checks and runs user-provided queries directly.

OpenSTAManager versions prior to 2.10.2 contain a high-severity SQL Injection vulnerability in the `Aggiornamenti` module. The application accepts raw SQL statements in JSON format and executes them directly against the database without validation. This flaw enables authenticated attackers to modify database schemas, exfiltrate data, and potentially achieve remote code execution depending on database configuration.

Vulnerability Overview

OpenSTAManager is an open-source management software for technical assistance and invoicing. The application includes an Aggiornamenti (Updates) module designed to handle system upgrades and resolve database schema conflicts. This module contains a critical vulnerability in how it processes administrative actions related to database synchronization.

The specific flaw exists within the op=risolvi-conflitti-database endpoint. This feature is intended to apply structural changes to the database to resolve schema disparities. The implementation fails to enforce boundaries between data and control planes, trusting client-side input to dictate the exact SQL commands executed by the backend.

An authenticated attacker with access to the updates module can exploit this design flaw. By supplying a crafted payload, the attacker dictates the precise queries executed by the application database driver. The vulnerability constitutes an Improper Neutralization of Special Elements used in an SQL Command (CWE-89).

Technical Root Cause Analysis

The vulnerability is localized within the modules/aggiornamenti/actions.php script. When a user sends a POST request with the operation parameter set to risolvi-conflitti-database, the application parses a JSON-encoded array from the queries POST parameter. The application decode this payload into a standard PHP array of strings.

The application iterates over this array and executes each string as a direct SQL query via the $dbo->query() method. The backend applies zero validation, sanitization, or allowlist checks to the strings prior to execution. The parameter is entirely user-controlled and treated as a sequence of trusted instructions.

Furthermore, the application explicitly executes SET FOREIGN_KEY_CHECKS=0 before initiating the query loop. This command disables referential integrity checks across the entire database session. The application executes SET FOREIGN_KEY_CHECKS=1 only after the loop concludes. This state change removes structural protections, allowing attackers to delete or mutate records that would normally be protected by relational constraints.

Code Analysis and Patch Implementation

The vulnerable code path implemented a direct pipeline from the HTTP request to the database driver. The original implementation extracted the queries parameter, decoded it, and passed it to the database object without scrutiny.

$queries = json_decode($_POST['queries'], true);
$dbo->query('SET FOREIGN_KEY_CHECKS=0');
foreach ($queries as $query) {
    try {
        $dbo->query($query);
    } catch (Exception $e) {
        $errors[] = $query.' - '.$e->getMessage();
    }
}
$dbo->query('SET FOREIGN_KEY_CHECKS=1');

The maintainers addressed this vulnerability in commit 43970676bcd6636ff8663652fd82579f737abb74 by introducing a regular expression allowlist. The updated logic validates each query string against predefined safe patterns before execution.

$allowed_patterns = [
    '/^ALTER\s+TABLE\s+`?[\w]+`?\s+(ADD|MODIFY|CHANGE|DROP)\s+(COLUMN\s+)?`?[\w]+`?/i',
    '/^CREATE\s+(UNIQUE\s+)?INDEX\s+`?[\w]+`?\s+ON\s+`?[\w]+`?\s*\(/i',
    '/^DROP\s+INDEX\s+`?[\w]+`?\s+ON\s+`?[\w]+`?$/i',
    '/^UPDATE\s+`?zz_views`?\s+SET\s+/i',
    '/^INSERT\s+INTO\s+`?zz_\w+`?\s*\(/i',
    '/^DELETE\s+FROM\s+`?zz_\w+`?\s+WHERE\s+/i',
];

While the patch significantly reduces the attack surface, the regular expressions validate only the prefix of the queries. The UPDATE and INSERT regex patterns do not inspect the right-hand side of the query. Attackers can still inject subqueries into the SET or VALUES clauses of permitted tables to exfiltrate data.

Exploitation Methodology

Exploitation requires an active user session with authorization to access the Aggiornamenti module. The attacker intercepts or crafts an HTTP POST request directed at the actions.php endpoint. The attacker structures the payload as a JSON array of malicious SQL statements.

The attacker constructs the queries POST variable. An example payload designed to destroy data is queries=["DROP TABLE users;"]. An attacker focused on persistence or privilege escalation creates queries that manipulate authentication tables or configuration parameters.

The application returns database driver errors in the HTTP response if a query fails. The attacker parses these error strings to enumerate database schemas, table names, and column types. This immediate feedback loop facilitates reliable exploitation and lateral movement within the database layer.

Impact Assessment

The vulnerability completely compromises the confidentiality, integrity, and availability of the application database. The attacker controls the specific SQL statements executed, circumventing all application-layer access controls. The severity is reflected in the CVSS v3.1 vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H.

The attacker executes commands in the context of the database user configured for the application. Management applications typically provision database users with extensive privileges, including Data Definition Language (DDL) rights. The attacker leverages these privileges to modify database schemas, alter stored procedures, or extract sensitive financial data.

The application relies on MySQL or MariaDB backends. If the database user retains the FILE privilege, the attacker utilizes SELECT INTO OUTFILE to write arbitrary files to the host filesystem. This technique directly escalates the database compromise into arbitrary remote code execution on the application server.

Remediation and Defensive Posture

Organizations utilizing OpenSTAManager must upgrade the application to version 2.10.2 or later immediately. The official release integrates the regex-based allowlist, preventing arbitrary query execution. System administrators should verify the deployed version via the application dashboard.

Administrators must enforce the principle of least privilege at the database layer. The application database user must not possess global administrative privileges or the FILE privilege. Revoking DROP and ALTER permissions during normal operations limits the blast radius of similar vulnerabilities.

Security teams should deploy Web Application Firewall (WAF) rules targeting the specific API endpoint. WAF implementations should inspect the queries parameter within POST requests directed at modules/aggiornamenti/actions.php. Rules detecting JSON-encoded SQL keywords provide an additional defensive layer against exploitation attempts.

Official Patches

devcode-itOfficial fix commit implementing query validation
devcode-itRelease Notes for version 2.10.2

Fix Analysis (1)

Technical Appendix

CVSS Score
8.8/ 10
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Systems

OpenSTAManager Aggiornamenti Module (modules/aggiornamenti/actions.php)Underlying MySQL/MariaDB Database

Affected Versions Detail

Product
Affected Versions
Fixed Version
openstamanager
devcode-it
< 2.10.22.10.2
AttributeDetail
CWE IDCWE-89
Attack VectorNetwork
CVSS v3.18.8 (High)
Privileges RequiredLow (Authenticated)
ImpactHigh Confidentiality, Integrity, Availability
Exploit StatusProof of Concept Available

MITRE ATT&CK Mapping

T1190Exploit Public-Facing Application
Initial Access
CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')

The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command.

Vulnerability Timeline

Fix commit pushed to GitHub repository.
2026-03-05
CVE-2026-35168 published in NVD and CVE.org.
2026-04-02
GitHub Advisory (GHSA-2fr7-cc4f-wh98) released.
2026-04-02

References & Sources

  • [1]NVD Vulnerability Detail
  • [2]GitHub Security Advisory GHSA-2fr7-cc4f-wh98
  • [3]Fix Commit
  • [4]v2.10.2 Release Notes

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•1 day ago•CVE-2026-54269
5.3

CVE-2026-54269: Runtime Property Shadowing and Denial of Service in protobufjs

A property shadowing vulnerability exists in protobufjs where schema-derived names can collide with and overwrite runtime-critical internal helper properties. This issue leads to uncaught runtime exceptions and crash-based Denial of Service.

Alon Barad
Alon Barad
6 views•6 min read
•3 days ago•CVE-2025-6965
7.7

CVE-2025-6965: Remote Code Execution via Integer Truncation in SQLite Aggregate Parser

An integer truncation vulnerability (CWE-197) exists in SQLite before version 3.50.2 during the processing of aggregate queries with more than 32,767 distinct column references. This causes an internal 32-bit counter to truncate to a signed 16-bit integer, producing negative values that cause out-of-bounds heap operations in release builds.

Amit Schendel
Amit Schendel
13 views•6 min read
•3 days ago•CVE-2026-47291
9.8

CVE-2026-47291: Remote Code Execution in Windows HTTP.sys Kernel Driver

An integer overflow vulnerability in the Windows kernel-mode HTTP driver (HTTP.sys) allows an unauthenticated remote attacker to execute arbitrary code with kernel privileges or cause a Denial of Service via a specially crafted sequence of HTTP request headers.

Amit Schendel
Amit Schendel
26 views•8 min read
•3 days ago•CVE-2026-11822
7.8

CVE-2026-11822: Memory Corruption and Buffer Overflow in SQLite FTS5 Extension

A memory corruption vulnerability exists in the FTS5 (Full-Text Search 5) extension of SQLite prior to version 3.53.2. An attacker can construct a malicious database file containing corrupt FTS5 page data. Querying this database triggers out-of-bounds reads and heap-based buffer overflows, potentially causing a crash or arbitrary code execution.

Amit Schendel
Amit Schendel
8 views•5 min read
•4 days ago•CVE-2026-56350
6.3

CVE-2026-56350: SSO Enforcement Bypass in n8n via API Parameter Pollution / Mass Assignment

A mass assignment vulnerability (CWE-915) in n8n's self-service settings API endpoint (PATCH /me/settings) allows authenticated Single Sign-On (SSO) users to disable SSO enforcement for their accounts by injecting administrative parameters. This bypasses organizational identity provider controls and multi-factor authentication (MFA).

Amit Schendel
Amit Schendel
11 views•6 min read
•7 days ago•CVE-2026-55699
6.5

CVE-2026-55699: Arbitrary Directory Deletion via Path Traversal in pnpm globalBinDir Resolver

CVE-2026-55699 (also identified as GHSA-4gxm-v5v7-fqc4) is a critical path traversal and arbitrary directory deletion vulnerability in the pnpm package manager. The issue exists because the manifest validation process fails to prevent relative path segments within the package 'bin' keys. When a malicious package containing structured path traversal markers is globally installed and later manipulated, pnpm resolves the target paths through path.join() and passes the resolved paths to a recursive deletion function, resulting in arbitrary directory removal.

Amit Schendel
Amit Schendel
26 views•6 min read