CVE-2026-28805: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in devcode-it openstamanager
OpenSTAManager versions prior to 2. 10. 2 contain a high-severity SQL Injection vulnerability in multiple AJAX select handlers. The vulnerability arises from unsanitized user input in the options[stato] GET parameter, which is directly concatenated into SQL WHERE clauses. An authenticated attacker can exploit this to perform time-based blind SQL injection, potentially extracting sensitive data such as usernames, password hashes, and financial records. This issue has been fixed in version 2. 10. 2.
AI Analysis
Technical Summary
CVE-2026-28805 is a SQL Injection vulnerability (CWE-89) affecting OpenSTAManager before version 2.10.2. The flaw exists because the user-supplied value from the options[stato] GET parameter is read from $superselect['stato'] and concatenated directly into SQL queries without sanitization, parameterization, or allowlist validation. This allows an authenticated attacker to inject arbitrary SQL commands, leading to unauthorized data disclosure. The vulnerability is exploitable via time-based blind SQL injection techniques. The vendor patched this vulnerability in OpenSTAManager version 2.10.2.
Potential Impact
Successful exploitation allows an authenticated attacker to extract sensitive information stored in the MySQL database, including usernames, password hashes, and financial records. The vulnerability impacts confidentiality, integrity, and availability, as indicated by the CVSS vector (C:H/I:H/A:H). No known exploits are reported in the wild at this time.
Mitigation Recommendations
Upgrade OpenSTAManager to version 2.10.2 or later, where this SQL Injection vulnerability has been patched. Since this is a self-hosted product, users must apply the update manually. Patch status is confirmed by the vendor advisory stating the issue is fixed in version 2.10.2.
CVE-2026-28805: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in devcode-it openstamanager
Description
OpenSTAManager versions prior to 2. 10. 2 contain a high-severity SQL Injection vulnerability in multiple AJAX select handlers. The vulnerability arises from unsanitized user input in the options[stato] GET parameter, which is directly concatenated into SQL WHERE clauses. An authenticated attacker can exploit this to perform time-based blind SQL injection, potentially extracting sensitive data such as usernames, password hashes, and financial records. This issue has been fixed in version 2. 10. 2.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-28805 is a SQL Injection vulnerability (CWE-89) affecting OpenSTAManager before version 2.10.2. The flaw exists because the user-supplied value from the options[stato] GET parameter is read from $superselect['stato'] and concatenated directly into SQL queries without sanitization, parameterization, or allowlist validation. This allows an authenticated attacker to inject arbitrary SQL commands, leading to unauthorized data disclosure. The vulnerability is exploitable via time-based blind SQL injection techniques. The vendor patched this vulnerability in OpenSTAManager version 2.10.2.
Potential Impact
Successful exploitation allows an authenticated attacker to extract sensitive information stored in the MySQL database, including usernames, password hashes, and financial records. The vulnerability impacts confidentiality, integrity, and availability, as indicated by the CVSS vector (C:H/I:H/A:H). No known exploits are reported in the wild at this time.
Mitigation Recommendations
Upgrade OpenSTAManager to version 2.10.2 or later, where this SQL Injection vulnerability has been patched. Since this is a self-hosted product, users must apply the update manually. Patch status is confirmed by the vendor advisory stating the issue is fixed in version 2.10.2.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-03-03T14:25:19.246Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69ce7bd9e6bfc5ba1ddfe6c1
Added to database: 4/2/2026, 2:23:21 PM
Last enriched: 4/9/2026, 10:54:10 PM
Last updated: 5/20/2026, 9:42:21 PM
Views: 48
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.