OpenSTAManager, an open-source management software for technical assistance and invoicing, contains a critical SQL injection vulnerability identified as CVE-2026-35168. This vulnerability resides in the Aggiornamenti module's database conflict resolution feature, which prior to version 2.10.2 accepts a JSON array of SQL statements via POST requests and executes them directly against the MySQL database without any form of input validation, allowlisting, or sanitization. The module explicitly disables foreign key checks (SET FOREIGN_KEY_CHECKS=0) before executing these statements, further weakening database integrity protections. An attacker with authenticated access to this module can leverage this flaw to execute arbitrary SQL commands, including but not limited to CREATE, DROP, ALTER, INSERT, UPDATE, DELETE, and SELECT INTO OUTFILE. This level of access allows the attacker to manipulate database schema, exfiltrate sensitive data, corrupt or delete data, and potentially write files to the server filesystem. The vulnerability requires authentication but no user interaction beyond sending crafted POST requests. The CVSS v3.1 base score is 8.8, reflecting high impact on confidentiality, integrity, and availability, with low attack complexity and no user interaction required. The vulnerability was publicly disclosed on April 2, 2026, and has been patched in OpenSTAManager version 2.10.2. There are currently no known exploits in the wild, but the nature of the vulnerability makes it a significant risk for affected installations.

The impact of CVE-2026-35168 is severe for organizations using OpenSTAManager versions prior to 2.10.2. Successful exploitation allows attackers to fully compromise the backend database, leading to unauthorized data disclosure, data manipulation, or destruction. This can result in loss of sensitive customer or financial data, disruption of invoicing and technical assistance operations, and potential regulatory compliance violations. The ability to execute arbitrary SQL commands, including schema modifications and file writes, increases the risk of persistent backdoors or ransomware deployment. Organizations relying on OpenSTAManager for critical business functions face operational downtime, reputational damage, and financial losses if exploited. Since the vulnerability requires authentication, insider threats or compromised credentials significantly raise the risk. The lack of known exploits in the wild currently reduces immediate threat but does not diminish the urgency of patching due to the low complexity of exploitation and high impact.

To mitigate CVE-2026-35168, organizations should immediately upgrade OpenSTAManager to version 2.10.2 or later, where the vulnerability has been patched. Until upgrading is possible, restrict access to the Aggiornamenti module to trusted administrators only and enforce strong authentication mechanisms, including multi-factor authentication, to reduce the risk of credential compromise. Implement network segmentation and firewall rules to limit access to the management interface from untrusted networks. Monitor logs for unusual POST requests to the database conflict resolution endpoint, especially those containing SQL statements. Employ database activity monitoring to detect anomalous SQL commands and disable or restrict the use of the vulnerable module if feasible. Additionally, conduct regular credential audits and enforce least privilege principles for users with access to the module. Finally, ensure regular backups of the database are performed and tested to enable recovery in case of data corruption or loss.