OpenSTAManager, an open-source management software for technical assistance and invoicing, suffers from a critical SQL Injection vulnerability identified as CVE-2026-28805. The vulnerability arises from improper neutralization of special elements in SQL commands (CWE-89). Specifically, multiple AJAX select handlers process the options[stato] GET parameter by directly concatenating the user-supplied value from $superselect['stato'] into SQL WHERE clauses without any sanitization, parameterization, or allowlist validation. This unsafe coding practice enables an authenticated attacker to perform Time-Based Blind SQL Injection attacks against the MySQL backend database. Exploitation allows the attacker to execute arbitrary SQL statements, potentially extracting highly sensitive information such as usernames, password hashes, and financial data stored within the database. The vulnerability affects all OpenSTAManager versions prior to 2.10.2, where the issue has been addressed and patched. The CVSS v3.1 base score is 8.8, reflecting high impact on confidentiality, integrity, and availability, with low attack complexity and requiring only low privileges (authenticated user). No known exploits are reported in the wild yet, but the vulnerability poses a significant risk due to the sensitive nature of the data managed by the software and the ease of exploitation once authenticated.

The impact of CVE-2026-28805 is substantial for organizations using vulnerable versions of OpenSTAManager. Successful exploitation can lead to unauthorized disclosure of sensitive data including user credentials, password hashes, and financial records, which can facilitate further attacks such as account takeover, fraud, or financial theft. The integrity of the database can also be compromised, allowing attackers to modify or delete records, disrupting business operations and trustworthiness of data. Availability may be affected if attackers execute destructive SQL commands or cause database performance degradation through time-based injection techniques. Since the vulnerability requires authentication, insider threats or compromised accounts increase risk. Organizations relying on OpenSTAManager for invoicing and technical assistance management face potential regulatory and reputational damage if sensitive customer or financial data is leaked. The widespread use of this software in small to medium enterprises globally amplifies the potential impact.

To mitigate this vulnerability, organizations should immediately upgrade OpenSTAManager to version 2.10.2 or later where the issue is patched. Until upgrade is possible, restrict access to the affected AJAX endpoints to trusted users only and monitor for unusual database query patterns indicative of SQL injection attempts. Implement Web Application Firewall (WAF) rules to detect and block SQL injection payloads targeting the options[stato] parameter. Developers should refactor the code to use parameterized queries or prepared statements instead of direct string concatenation for SQL commands. Input validation should be enforced with strict allowlists for expected parameter values. Regularly audit and review authentication and authorization controls to minimize risk from compromised accounts. Additionally, monitor logs for suspicious activity and consider database activity monitoring solutions to detect anomalous queries. Backup critical data regularly to enable recovery in case of data integrity attacks.