OpenSTAManager, an open-source management software for technical assistance and invoicing, suffers from a critical SQL Injection vulnerability identified as CVE-2026-24419. The vulnerability resides in the Prima Nota (Journal Entry) module, specifically in the add.php file. The application accepts a GET parameter named id_documenti, which is expected to be a comma-separated list of document IDs. However, the software fails to validate that each value in this list is an integer before incorporating them into SQL IN() clauses. This improper neutralization of special elements (CWE-89) allows attackers to inject malicious SQL code. Exploitation leverages error-based SQL injection techniques, where attackers can extract sensitive database information by triggering XPATH error messages. The vulnerability can be exploited remotely without authentication or user interaction, requiring only low privileges. The CVSS 4.0 base score is 8.7 (high severity), reflecting the network attack vector, low attack complexity, no privileges required, and high impact on confidentiality, integrity, and availability. No patches are currently available, and no known exploits have been reported in the wild as of the publication date. The vulnerability poses a significant risk to organizations relying on OpenSTAManager for critical business functions, potentially leading to data leakage, unauthorized data manipulation, and disruption of invoicing and technical assistance operations.

For European organizations using OpenSTAManager, this vulnerability could lead to severe data breaches including exposure of sensitive financial and operational data managed within the software. The ability to execute arbitrary SQL commands may allow attackers to extract confidential client information, alter invoicing records, or disrupt journal entries, impacting business continuity and compliance with data protection regulations such as GDPR. The high severity and ease of exploitation increase the risk of targeted attacks, especially against SMEs and service providers in sectors reliant on OpenSTAManager. Compromise could also damage organizational reputation and result in financial penalties. Additionally, the lack of authentication requirement broadens the attack surface, enabling external threat actors to exploit the vulnerability remotely without insider access. The potential for data integrity violations and availability issues further exacerbates operational risks for European entities.

Organizations should immediately audit their use of OpenSTAManager and identify any instances running version 2.9.8 or earlier. Since no official patches are currently available, temporary mitigations include implementing strict input validation and sanitization on the id_documenti parameter, ensuring only integer values are accepted before processing. Web application firewalls (WAFs) can be configured to detect and block SQL injection patterns targeting this parameter. Network segmentation and access controls should limit exposure of the OpenSTAManager interface to trusted internal networks or VPN users only. Monitoring and logging of unusual database errors or anomalous query patterns can help detect exploitation attempts. Organizations should engage with the vendor or open-source community for updates and patches and plan for prompt application once released. Additionally, conducting regular security assessments and penetration tests focusing on injection flaws will help identify residual risks.