OpenSTAManager is an open source software designed for managing technical assistance and invoicing tasks. Versions up to 2.9.8 contain a critical SQL Injection vulnerability (CVE-2026-24418) in the Scadenzario module, which handles payment schedules. The vulnerability arises because the application does not validate that the elements of the id_records array are strictly integers before embedding them into an SQL IN() clause. This improper neutralization of special elements (CWE-89) allows an attacker to inject malicious SQL payloads. The injection is error-based, leveraging XPATH error messages to extract sensitive information from the database. The vulnerability is remotely exploitable without authentication or user interaction, increasing its risk. The CVSS 4.0 vector indicates low attack complexity, no privileges required, and no user interaction needed, with high impact on confidentiality, integrity, and availability. Although no public exploits are known yet, the critical nature of the flaw and the sensitive data involved make it a significant threat. The lack of official patches at the time of reporting necessitates immediate mitigation steps by users. This vulnerability could lead to unauthorized data disclosure, data manipulation, or denial of service, severely impacting business operations reliant on OpenSTAManager.

For European organizations, especially small and medium enterprises (SMEs) using OpenSTAManager for invoicing and technical assistance management, this vulnerability poses a significant risk of data breaches involving sensitive financial and client information. Exploitation could lead to unauthorized disclosure of confidential payment schedules and customer data, undermining trust and potentially violating data protection regulations such as GDPR. Integrity of financial records could be compromised, leading to fraudulent invoicing or manipulation of payment schedules. Availability of the service could also be disrupted by crafted SQL payloads causing database errors or crashes. The financial and reputational damage could be substantial, particularly for organizations in regulated sectors or those with high compliance requirements. The remote, unauthenticated nature of the exploit increases the likelihood of attacks, especially in environments exposed to the internet or insufficiently segmented networks.

Since no official patches are currently available, organizations should implement immediate mitigations including: 1) Restricting network access to the OpenSTAManager application, limiting it to trusted internal IPs or VPN connections to reduce exposure. 2) Employing Web Application Firewalls (WAFs) with custom rules to detect and block SQL injection patterns targeting the id_records parameter, particularly payloads attempting to manipulate the IN() clause. 3) Conducting input validation at the application or proxy level to ensure that id_records array elements are strictly integers before processing. 4) Monitoring application logs and database error messages for unusual patterns indicative of injection attempts, including XPATH error anomalies. 5) Preparing for rapid patch deployment once an official fix is released by the vendor. 6) Reviewing and hardening database permissions to minimize the impact of potential SQL injection, such as using least privilege principles and segregating database roles. 7) Educating development and operations teams about secure coding practices to prevent similar issues in future versions.