High severity8.8NVD Advisory· Published Apr 2, 2026· Updated Apr 7, 2026

CVE-2026-28805

Description

OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.10.2, multiple AJAX select handlers in OpenSTAManager are vulnerable to Time-Based Blind SQL Injection through the options[stato] GET parameter. The user-supplied value is read from $superselect['stato'] and concatenated directly into SQL WHERE clauses as a bare expression, without any sanitization, parameterization, or allowlist validation. An authenticated attacker can inject arbitrary SQL statements to extract sensitive data from the database, including usernames, password hashes, financial records, and any other information stored in the MySQL database. This issue has been patched in version 2.10.2.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
devcode-it/openstamanagerPackagist	< 2.10.2	2.10.2

Affected products

Devcode/Openstamanager
cpe:2.3:a:devcode:openstamanager:*:*:*:*:*:*:*:*
Range: <2.10.2

Patches

50b9089c506b

fix: Time-Based Blind SQL Injection via `options[stato]` Parameter

https://github.com/devcode-it/openstamanagervalentinaMar 5, 2026via ghsa

commit

3 files changed · +3 −2

modules/contratti/ajax/select.php+1 −1 modified

@@ -57,7 +57,7 @@
             $stato = !empty($superselect['stato']) && in_array($superselect['stato'], $allowed_stati)
                 ? $superselect['stato']
                 : 'is_pianificabile';
-            $where[] = '`idstato` IN (SELECT `id` FROM `co_staticontratti` WHERE '.$stato.' = 1)';
+            $where[] = '`idstato` IN (SELECT `id` FROM `co_staticontratti` WHERE `'.str_replace('`', '', $stato).'` = 1)';
         }
 
         if (!empty($search)) {

modules/ordini/ajax/select.php+1 −0 modified

@@ -53,6 +53,7 @@
                     ? $superselect['stato']
                     : 'is_fatturabile';
                 $where[] = '`or_statiordine`.'.$stato.' = 1';
+                $where[] = '`or_statiordine`.`'.str_replace('`', '', $stato).'` = 1';
             }
         }

modules/preventivi/ajax/select.php+1 −1 modified

@@ -60,7 +60,7 @@
                 $stato = !empty($superselect['stato']) && in_array($superselect['stato'], $allowed_stati)
                     ? $superselect['stato']
                     : 'is_pianificabile';
-                $where[] = '('.$stato.' = 1)';
+                $where[] = '(`'.str_replace('`', '', $stato).'` = 1)';
             }
 
             if (!empty($search)) {

679c40fa5b3a

fix: Time-Based Blind SQL Injection via `options[stato]` Parameter

https://github.com/devcode-it/openstamanagervalentinaMar 5, 2026via ghsa

commit

3 files changed · +12 −3

modules/contratti/ajax/select.php+4 −1 modified

@@ -53,7 +53,10 @@
 
         if (empty($elements)) {
             $where[] = '`an_anagrafiche`.`idanagrafica`='.prepare($superselect['idanagrafica']);
-            $stato = !empty($superselect['stato']) ? $superselect['stato'] : 'is_pianificabile';
+            $allowed_stati = ['is_pianificabile', 'is_completato', 'is_fatturabile'];
+            $stato = !empty($superselect['stato']) && in_array($superselect['stato'], $allowed_stati)
+                ? $superselect['stato']
+                : 'is_pianificabile';
             $where[] = '`idstato` IN (SELECT `id` FROM `co_staticontratti` WHERE '.$stato.' = 1)';
         }

modules/ordini/ajax/select.php+4 −1 modified

@@ -48,7 +48,10 @@
             if (empty($elements)) {
                 $where[] = '`an_anagrafiche`.`idanagrafica`='.prepare($superselect['idanagrafica']);
 
-                $stato = !empty($superselect['stato']) ? $superselect['stato'] : 'is_fatturabile';
+                $allowed_stati = ['is_fatturabile', 'is_evadibile', 'is_completato'];
+                $stato = !empty($superselect['stato']) && in_array($superselect['stato'], $allowed_stati)
+                    ? $superselect['stato']
+                    : 'is_fatturabile';
                 $where[] = '`or_statiordine`.'.$stato.' = 1';
             }
         }

modules/preventivi/ajax/select.php+4 −1 modified

@@ -56,7 +56,10 @@
                 $where[] = '`an_anagrafiche`.`idanagrafica`='.prepare($superselect['idanagrafica']);
                 $where[] = '`co_preventivi`.`default_revision`=1';
 
-                $stato = !empty($superselect['stato']) ? $superselect['stato'] : 'is_pianificabile';
+                $allowed_stati = ['is_pianificabile', 'is_completato', 'is_fatturabile', 'is_concluso'];
+                $stato = !empty($superselect['stato']) && in_array($superselect['stato'], $allowed_stati)
+                    ? $superselect['stato']
+                    : 'is_pianificabile';
                 $where[] = '('.$stato.' = 1)';
             }

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/devcode-it/openstamanager/commit/50b9089c506ba2ca249afb1dfead2af5d42c10e7nvdPatchWEB
github.com/devcode-it/openstamanager/commit/679c40fa5b3acad4263b537f367c0695ff9666dcnvdPatchWEB
github.com/devcode-it/openstamanager/security/advisories/GHSA-3gw8-3mg3-jmpcnvdExploitMitigationVendor AdvisoryWEB
github.com/advisories/GHSA-3gw8-3mg3-jmpcghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-28805ghsaADVISORY
github.com/devcode-it/openstamanager/releases/tag/v2.10.2nvdProductRelease NotesWEB

News mentions

No linked articles in our index yet.

cvss	0.572
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000