CVE-2026-28805 - Vulnerability Analysis
HighCVSS: 8.8Last Updated: April 2, 2026
OpenSTAManager - SQL Injection
Published: April 2, 2026Updated: April 2, 2026Remote Exploitable
Overview
OpenSTAManager < 2.10.2 contains a time-based blind SQL injection caused by unsanitized 'options[stato]' GET parameter concatenated into SQL WHERE clauses, letting authenticated attackers extract sensitive database information.
Severity & Score
Severity: High
CVSS Score: 8.8
Impact
Authenticated attackers can extract sensitive data including usernames, password hashes, and financial records from the database.
Mitigation
Upgrade to version 2.10.2 or later.
References
- https://github.com/devcode-it/openstamanager/security/advisories/GHSA-3gw8-3mg3-jmpc
- https://github.com/devcode-it/openstamanager/commit/50b9089c506ba2ca249afb1dfead2af5d42c10e7
- https://github.com/devcode-it/openstamanager/commit/679c40fa5b3acad4263b537f367c0695ff9666dc
- https://github.com/devcode-it/openstamanager/releases/tag/v2.10.2
Related Resources
Details
- CVE ID
- CVE-2026-28805
- Severity
- High
- CVSS Score
- 8.8
- Type
- sql_injection
- Status
- new
CWE
- CWE-89
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H