CVE-2026-35168: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in devcode-it openstamanager
OpenSTAManager versions prior to 2. 10. 2 contain a SQL injection vulnerability in the Aggiornamenti (Updates) module. This module accepts a JSON array of SQL statements via POST and executes them directly on the database without validation or sanitization. An authenticated user with access to this module can execute arbitrary SQL commands, including destructive operations like DROP or ALTER. The vulnerability disables foreign key checks before execution, increasing the risk of database integrity compromise. This issue is patched in version 2. 10. 2.
AI Analysis
Technical Summary
CVE-2026-35168 is a high-severity SQL injection vulnerability in devcode-it's OpenSTAManager software affecting versions before 2.10.2. The vulnerability exists in the Aggiornamenti module's database conflict resolution feature, which accepts and executes arbitrary SQL statements from a JSON array in POST requests without any input validation or sanitization. This allows an authenticated attacker to execute any SQL command supported by MySQL, including data manipulation and schema alteration commands. The vulnerability also disables foreign key checks (SET FOREIGN_KEY_CHECKS=0) prior to execution, further weakening database integrity protections. The issue has been addressed by a patch in OpenSTAManager version 2.10.2.
Potential Impact
An authenticated attacker with access to the vulnerable module can execute arbitrary SQL commands on the backend MySQL database. This can lead to full compromise of the database, including unauthorized data disclosure, data modification, deletion, and schema changes. The disabling of foreign key checks increases the risk of corrupting database integrity. The vulnerability has a CVSS 3.1 score of 8.8, indicating high impact on confidentiality, integrity, and availability.
Mitigation Recommendations
A patch fixing this vulnerability is available in OpenSTAManager version 2.10.2. Users should upgrade to version 2.10.2 or later to remediate this issue. Since this is not a cloud service, remediation requires applying the official software update. No vendor advisory content contradicts this; therefore, upgrading is the recommended mitigation.
CVE-2026-35168: CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in devcode-it openstamanager
Description
OpenSTAManager versions prior to 2. 10. 2 contain a SQL injection vulnerability in the Aggiornamenti (Updates) module. This module accepts a JSON array of SQL statements via POST and executes them directly on the database without validation or sanitization. An authenticated user with access to this module can execute arbitrary SQL commands, including destructive operations like DROP or ALTER. The vulnerability disables foreign key checks before execution, increasing the risk of database integrity compromise. This issue is patched in version 2. 10. 2.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-35168 is a high-severity SQL injection vulnerability in devcode-it's OpenSTAManager software affecting versions before 2.10.2. The vulnerability exists in the Aggiornamenti module's database conflict resolution feature, which accepts and executes arbitrary SQL statements from a JSON array in POST requests without any input validation or sanitization. This allows an authenticated attacker to execute any SQL command supported by MySQL, including data manipulation and schema alteration commands. The vulnerability also disables foreign key checks (SET FOREIGN_KEY_CHECKS=0) prior to execution, further weakening database integrity protections. The issue has been addressed by a patch in OpenSTAManager version 2.10.2.
Potential Impact
An authenticated attacker with access to the vulnerable module can execute arbitrary SQL commands on the backend MySQL database. This can lead to full compromise of the database, including unauthorized data disclosure, data modification, deletion, and schema changes. The disabling of foreign key checks increases the risk of corrupting database integrity. The vulnerability has a CVSS 3.1 score of 8.8, indicating high impact on confidentiality, integrity, and availability.
Mitigation Recommendations
A patch fixing this vulnerability is available in OpenSTAManager version 2.10.2. Users should upgrade to version 2.10.2 or later to remediate this issue. Since this is not a cloud service, remediation requires applying the official software update. No vendor advisory content contradicts this; therefore, upgrading is the recommended mitigation.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-01T17:26:21.133Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 69ce7bd9e6bfc5ba1ddfe6de
Added to database: 4/2/2026, 2:23:21 PM
Last enriched: 4/10/2026, 12:03:44 AM
Last updated: 5/20/2026, 8:52:23 PM
Views: 69
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.