Published April 6, 2026 · Updated April 7, 2026
CVE-2026-35470 is a high-severity SQL injection vulnerability in OpenSTAManager versions prior to 2.10.2. The vulnerability exists because the `righe` parameter is not properly validated or sanitized, allowing an authenticated attacker to execute arbitrary SQL commands. To mitigate this risk, upgrade to OpenSTAManager version 2.10.2 or later immediately.
OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to 2.10.2, confronta_righe.php files across different modules in OpenSTAManager contain an SQL Injection vulnerability. The righe parameter received via $_GET['righe'] is directly concatenated into an SQL query without any sanitization, parameterization or validation. An authenticated attacker can inject arbitrary SQL statements to extract sensitive data from the database, including user credentials, customer information, invoice data and any other stored data. This vulnerability is fixed in 2.10.2.
CVE-2026-35470 is a critical SQL injection vulnerability in OpenSTAManager versions before 2.10.2, allowing attackers with authentication to execute arbitrary SQL commands. Update to version 2.10.2 immediately.