High severity7.2NVD Advisory· Published Apr 2, 2026· Updated Apr 7, 2026
CVE-2026-29782
CVE-2026-29782
Description
OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.10.2, the oauth2.php file in OpenSTAManager is an unauthenticated endpoint ($skip_permissions = true). It loads a record from the zz_oauth2 table using the attacker-controlled GET parameter state, and during the OAuth2 configuration flow calls unserialize() on the access_token field without any class restriction. This issue has been patched in version 2.10.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
devcode-it/openstamanagerPackagist | < 2.10.2 | 2.10.2 |
Affected products
2Patches
Vulnerability mechanics
References
5- github.com/devcode-it/openstamanager/commit/d2e38cbdf91a831cefc0da1548e02b297ae644ccnvdPatchWEB
- github.com/devcode-it/openstamanager/security/advisories/GHSA-whv5-4q2f-q68gnvdExploitMitigationVendor AdvisoryWEB
- github.com/advisories/GHSA-whv5-4q2f-q68gghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-29782ghsaADVISORY
- github.com/devcode-it/openstamanager/releases/tag/v2.10.2nvdProductRelease NotesWEB
News mentions
0No linked articles in our index yet.