Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/879321?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/879321?format=api", "purl": "pkg:composer/devcode-it/openstamanager@2.7.2", "type": "composer", "namespace": "devcode-it", "name": "openstamanager", "version": "2.7.2", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "2.10.2", "latest_non_vulnerable_version": "2.10.2", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/71660?format=api", "vulnerability_id": "VCID-8yfb-n5dh-xbab", "summary": "OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to 2.10.2, confronta_righe.php files across different modules in OpenSTAManager contain an SQL Injection vulnerability. The righe parameter received via $_GET['righe'] is directly concatenated into an SQL query without any sanitization, parameterization or validation. An authenticated attacker can inject arbitrary SQL statements to extract sensitive data from the database, including user credentials, customer information, invoice data and any other stored data. This vulnerability is fixed in 2.10.2.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35470", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02843", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00014", "scoring_system": "epss", "scoring_elements": "0.02836", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00017", "scoring_system": "epss", "scoring_elements": "0.04197", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00017", "scoring_system": "epss", "scoring_elements": "0.042", "published_at": "2026-06-14T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35470" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35470", "reference_id": "CVE-2026-35470", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35470" }, { "reference_url": "https://github.com/advisories/GHSA-mmm5-3g4x-qw39", "reference_id": "GHSA-mmm5-3g4x-qw39", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-mmm5-3g4x-qw39" }, { "reference_url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-mmm5-3g4x-qw39", "reference_id": "GHSA-mmm5-3g4x-qw39", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-07T14:06:23Z/" } ], "url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-mmm5-3g4x-qw39" }, { "reference_url": "https://github.com/devcode-it/openstamanager/releases/tag/v2.10.2", "reference_id": "v2.10.2", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-07T14:06:23Z/" } ], "url": "https://github.com/devcode-it/openstamanager/releases/tag/v2.10.2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373722?format=api", "purl": "pkg:composer/devcode-it/openstamanager@2.10.2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/devcode-it/openstamanager@2.10.2" } ], "aliases": [ "CVE-2026-35470", "GHSA-mmm5-3g4x-qw39" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-8yfb-n5dh-xbab" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/83099?format=api", "vulnerability_id": "VCID-9xxa-jz3x-j7f2", "summary": "OpenSTAManager is an open source management software for technical assistance and invoicing. OpenSTAManager v2.9.8 and earlier contains Reflected XSS vulnerabilities in invoice/order/contract modification modals. The application fails to properly sanitize user-supplied input from the righe GET parameter before reflecting it in HTML output.The $_GET['righe'] parameter is directly echoed into the HTML value attribute without any sanitization using htmlspecialchars() or equivalent functions. This allows an attacker to break out of the attribute context and inject arbitrary HTML/JavaScript.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-24415", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05695", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05686", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05703", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05677", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-24415" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24415", "reference_id": "CVE-2026-24415", "reference_type": "", "scores": [ { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24415" }, { "reference_url": "https://github.com/advisories/GHSA-jfgp-g7x7-j25j", "reference_id": "GHSA-jfgp-g7x7-j25j", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-jfgp-g7x7-j25j" }, { "reference_url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-jfgp-g7x7-j25j", "reference_id": "GHSA-jfgp-g7x7-j25j", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.1", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2026-03-04T21:17:09Z/" } ], "url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-jfgp-g7x7-j25j" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/38673?format=api", "purl": "pkg:composer/devcode-it/openstamanager@2.9.8", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-8yfb-n5dh-xbab" }, { "vulnerability": "VCID-9zpu-9n1t-muh1" }, { "vulnerability": "VCID-arft-nr1k-6fbe" }, { "vulnerability": "VCID-bfeu-e7dd-xfdm" }, { "vulnerability": "VCID-c5z8-7azx-4qcj" }, { "vulnerability": "VCID-c8hy-uvm2-bfhx" }, { "vulnerability": "VCID-kp7s-72jv-cqg9" }, { "vulnerability": "VCID-kzsm-amyh-z7h7" }, { "vulnerability": "VCID-m5gj-5m2q-fqe6" }, { "vulnerability": "VCID-mgj8-uc4s-ebby" }, { "vulnerability": "VCID-tyyx-fdu3-k3ce" }, { "vulnerability": "VCID-vwa6-3bwc-uqga" }, { "vulnerability": "VCID-y5uk-by6v-tbct" }, { "vulnerability": "VCID-yy49-aces-uugv" }, { "vulnerability": "VCID-zf18-hsf6-huhu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/devcode-it/openstamanager@2.9.8" } ], "aliases": [ "CVE-2026-24415", "GHSA-jfgp-g7x7-j25j" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9xxa-jz3x-j7f2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/123679?format=api", "vulnerability_id": "VCID-9zpu-9n1t-muh1", "summary": "OpenSTAManager is an open source management software for technical assistance and invoicing. In version 2.9.8 and prior, a SQL Injection vulnerability exists in the ajax_complete.php endpoint when handling the get_sedi operation. An authenticated attacker can inject malicious SQL code through the idanagrafica parameter, leading to unauthorized database access. At time of publication, no known patch exists.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-69213", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00058", "scoring_system": "epss", "scoring_elements": "0.18765", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00058", "scoring_system": "epss", "scoring_elements": "0.18757", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00058", "scoring_system": "epss", "scoring_elements": "0.18782", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00058", "scoring_system": "epss", "scoring_elements": "0.18602", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-69213" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69213", "reference_id": "CVE-2025-69213", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69213" }, { "reference_url": "https://github.com/advisories/GHSA-w995-ff8h-rppg", "reference_id": "GHSA-w995-ff8h-rppg", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-w995-ff8h-rppg" }, { "reference_url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-w995-ff8h-rppg", "reference_id": "GHSA-w995-ff8h-rppg", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-02-04T19:32:28Z/" } ], "url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-w995-ff8h-rppg" } ], "fixed_packages": [], "aliases": [ "CVE-2025-69213", "GHSA-w995-ff8h-rppg" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9zpu-9n1t-muh1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/123667?format=api", "vulnerability_id": "VCID-arft-nr1k-6fbe", "summary": "OpenSTAManager is an open source management software for technical assistance and invoicing. In 2.9.8 and earlier, a critical OS Command Injection vulnerability exists in the P7M (signed XML) file decoding functionality. An authenticated attacker can upload a ZIP file containing a .p7m file with a malicious filename to execute arbitrary system commands on the server.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-69212", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00152", "scoring_system": "epss", "scoring_elements": "0.35894", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00152", "scoring_system": "epss", "scoring_elements": "0.35881", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00152", "scoring_system": "epss", "scoring_elements": "0.35871", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00152", "scoring_system": "epss", "scoring_elements": "0.35691", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-69212" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69212", "reference_id": "CVE-2025-69212", "reference_type": "", "scores": [ { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69212" }, { "reference_url": "https://github.com/advisories/GHSA-25fp-8w8p-mx36", "reference_id": "GHSA-25fp-8w8p-mx36", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-25fp-8w8p-mx36" }, { "reference_url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-25fp-8w8p-mx36", "reference_id": "GHSA-25fp-8w8p-mx36", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "9.4", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-09T15:20:50Z/" } ], "url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-25fp-8w8p-mx36" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/940767?format=api", "purl": "pkg:composer/devcode-it/openstamanager@2.10-beta", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-8yfb-n5dh-xbab" }, { "vulnerability": "VCID-bfeu-e7dd-xfdm" }, { "vulnerability": "VCID-kp7s-72jv-cqg9" }, { "vulnerability": "VCID-kzsm-amyh-z7h7" }, { "vulnerability": "VCID-y5uk-by6v-tbct" }, { "vulnerability": "VCID-zf18-hsf6-huhu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/devcode-it/openstamanager@2.10-beta" } ], "aliases": [ "CVE-2025-69212", "GHSA-25fp-8w8p-mx36" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-arft-nr1k-6fbe" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/69684?format=api", "vulnerability_id": "VCID-bfeu-e7dd-xfdm", "summary": "OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.10.2, multiple AJAX select handlers in OpenSTAManager are vulnerable to Time-Based Blind SQL Injection through the options[stato] GET parameter. The user-supplied value is read from $superselect['stato'] and concatenated directly into SQL WHERE clauses as a bare expression, without any sanitization, parameterization, or allowlist validation. An authenticated attacker can inject arbitrary SQL statements to extract sensitive data from the database, including usernames, password hashes, financial records, and any other information stored in the MySQL database. This issue has been patched in version 2.10.2.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-28805", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00017", "scoring_system": "epss", "scoring_elements": "0.04389", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00017", "scoring_system": "epss", "scoring_elements": "0.04376", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00017", "scoring_system": "epss", "scoring_elements": "0.04393", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00017", "scoring_system": "epss", "scoring_elements": "0.04378", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-28805" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28805", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28805" }, { "reference_url": "https://github.com/devcode-it/openstamanager/commit/50b9089c506ba2ca249afb1dfead2af5d42c10e7", "reference_id": "50b9089c506ba2ca249afb1dfead2af5d42c10e7", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-02T18:30:58Z/" } ], "url": "https://github.com/devcode-it/openstamanager/commit/50b9089c506ba2ca249afb1dfead2af5d42c10e7" }, { "reference_url": "https://github.com/devcode-it/openstamanager/commit/679c40fa5b3acad4263b537f367c0695ff9666dc", "reference_id": "679c40fa5b3acad4263b537f367c0695ff9666dc", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-02T18:30:58Z/" } ], "url": "https://github.com/devcode-it/openstamanager/commit/679c40fa5b3acad4263b537f367c0695ff9666dc" }, { "reference_url": "https://github.com/advisories/GHSA-3gw8-3mg3-jmpc", "reference_id": "GHSA-3gw8-3mg3-jmpc", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-3gw8-3mg3-jmpc" }, { "reference_url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-3gw8-3mg3-jmpc", "reference_id": "GHSA-3gw8-3mg3-jmpc", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-02T18:30:58Z/" } ], "url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-3gw8-3mg3-jmpc" }, { "reference_url": "https://github.com/devcode-it/openstamanager/releases/tag/v2.10.2", "reference_id": "v2.10.2", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-02T18:30:58Z/" } ], "url": "https://github.com/devcode-it/openstamanager/releases/tag/v2.10.2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373722?format=api", "purl": "pkg:composer/devcode-it/openstamanager@2.10.2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/devcode-it/openstamanager@2.10.2" } ], "aliases": [ "CVE-2026-28805", "GHSA-3gw8-3mg3-jmpc" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-bfeu-e7dd-xfdm" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/123927?format=api", "vulnerability_id": "VCID-c5z8-7azx-4qcj", "summary": "OpenSTAManager is an open source management software for technical assistance and invoicing. In version 2.9.8 and prior, there is a SQL Injection vulnerability in the Stampe Module. At time of publication, no known patch exists.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-69215", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00055", "scoring_system": "epss", "scoring_elements": "0.17828", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00055", "scoring_system": "epss", "scoring_elements": "0.17819", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00055", "scoring_system": "epss", "scoring_elements": "0.17844", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00055", "scoring_system": "epss", "scoring_elements": "0.17668", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-69215" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69215", "reference_id": "CVE-2025-69215", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69215" }, { "reference_url": "https://github.com/advisories/GHSA-qx9p-w3vj-q24q", "reference_id": "GHSA-qx9p-w3vj-q24q", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-qx9p-w3vj-q24q" }, { "reference_url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-qx9p-w3vj-q24q", "reference_id": "GHSA-qx9p-w3vj-q24q", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-04T19:31:22Z/" } ], "url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-qx9p-w3vj-q24q" } ], "fixed_packages": [], "aliases": [ "CVE-2025-69215", "GHSA-qx9p-w3vj-q24q" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-c5z8-7azx-4qcj" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/123904?format=api", "vulnerability_id": "VCID-c8hy-uvm2-bfhx", "summary": "OpenSTAManager is an open source management software for technical assistance and invoicing. In 2.9.8 and earlier, an authenticated SQL injection vulnerability in OpenSTAManager's Scadenzario (Payment Schedule) print template allows any authenticated user to extract sensitive data from the database, including admin credentials, customer information, and financial records. The vulnerability exists in templates/scadenzario/init.php, where the id_anagrafica parameter is directly concatenated into an SQL query without proper sanitization. The vulnerability enables complete database read access through error-based SQL injection techniques.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-69216", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03086", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03081", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03069", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03073", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-69216" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69216", "reference_id": "CVE-2025-69216", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69216" }, { "reference_url": "https://github.com/advisories/GHSA-q6g3-fv43-m2w6", "reference_id": "GHSA-q6g3-fv43-m2w6", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-q6g3-fv43-m2w6" }, { "reference_url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-q6g3-fv43-m2w6", "reference_id": "GHSA-q6g3-fv43-m2w6", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-09T15:20:53Z/" } ], "url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-q6g3-fv43-m2w6" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/940767?format=api", "purl": "pkg:composer/devcode-it/openstamanager@2.10-beta", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-8yfb-n5dh-xbab" }, { "vulnerability": "VCID-bfeu-e7dd-xfdm" }, { "vulnerability": "VCID-kp7s-72jv-cqg9" }, { "vulnerability": "VCID-kzsm-amyh-z7h7" }, { "vulnerability": "VCID-y5uk-by6v-tbct" }, { "vulnerability": "VCID-zf18-hsf6-huhu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/devcode-it/openstamanager@2.10-beta" } ], "aliases": [ "CVE-2025-69216", "GHSA-q6g3-fv43-m2w6" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-c8hy-uvm2-bfhx" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/212382?format=api", "vulnerability_id": "VCID-h7ex-t99g-pfga", "summary": "OpenSTAManager has Authenticated SQL Injection in API via 'display' parameter", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-65103", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00012", "scoring_system": "epss", "scoring_elements": "0.01722", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00012", "scoring_system": "epss", "scoring_elements": "0.01719", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00012", "scoring_system": "epss", "scoring_elements": "0.01734", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00012", "scoring_system": "epss", "scoring_elements": "0.01725", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-65103" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-65103", "reference_id": "CVE-2025-65103", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-65103" }, { "reference_url": "https://github.com/advisories/GHSA-2jm2-2p35-rp3j", "reference_id": "GHSA-2jm2-2p35-rp3j", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-2jm2-2p35-rp3j" }, { "reference_url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-2jm2-2p35-rp3j", "reference_id": "GHSA-2jm2-2p35-rp3j", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-2jm2-2p35-rp3j" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/35351?format=api", "purl": "pkg:composer/devcode-it/openstamanager@2.9.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-8yfb-n5dh-xbab" }, { "vulnerability": "VCID-9xxa-jz3x-j7f2" }, { "vulnerability": "VCID-9zpu-9n1t-muh1" }, { "vulnerability": "VCID-arft-nr1k-6fbe" }, { "vulnerability": "VCID-bfeu-e7dd-xfdm" }, { "vulnerability": "VCID-c5z8-7azx-4qcj" }, { "vulnerability": "VCID-c8hy-uvm2-bfhx" }, { "vulnerability": "VCID-kp7s-72jv-cqg9" }, { "vulnerability": "VCID-kzsm-amyh-z7h7" }, { "vulnerability": "VCID-m5gj-5m2q-fqe6" }, { "vulnerability": "VCID-mgj8-uc4s-ebby" }, { "vulnerability": "VCID-tyyx-fdu3-k3ce" }, { "vulnerability": "VCID-vwa6-3bwc-uqga" }, { "vulnerability": "VCID-y5uk-by6v-tbct" }, { "vulnerability": "VCID-yy49-aces-uugv" }, { "vulnerability": "VCID-zf18-hsf6-huhu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/devcode-it/openstamanager@2.9.5" } ], "aliases": [ "CVE-2025-65103", "GHSA-2jm2-2p35-rp3j" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-h7ex-t99g-pfga" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/83066?format=api", "vulnerability_id": "VCID-kp7s-72jv-cqg9", "summary": "OpenSTAManager is an open source management software for technical assistance and invoicing. OpenSTAManager v2.9.8 and earlier contain a critical Time-Based Blind SQL Injection vulnerability in the global search functionality. The application fails to properly sanitize the term parameter before using it in SQL LIKE clauses across multiple module-specific search handlers, allowing attackers to inject arbitrary SQL commands and extract sensitive data through time-based Boolean inference.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-24417", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03086", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03081", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03069", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03073", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-24417" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24417", "reference_id": "CVE-2026-24417", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24417" }, { "reference_url": "https://github.com/advisories/GHSA-4hc4-8599-xh2h", "reference_id": "GHSA-4hc4-8599-xh2h", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-4hc4-8599-xh2h" }, { "reference_url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-4hc4-8599-xh2h", "reference_id": "GHSA-4hc4-8599-xh2h", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-02-06T18:55:27Z/" } ], "url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-4hc4-8599-xh2h" } ], "fixed_packages": [], "aliases": [ "CVE-2026-24417", "GHSA-4hc4-8599-xh2h" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-kp7s-72jv-cqg9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/74037?format=api", "vulnerability_id": "VCID-kzsm-amyh-z7h7", "summary": "OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.10.2, the oauth2.php file in OpenSTAManager is an unauthenticated endpoint ($skip_permissions = true). It loads a record from the zz_oauth2 table using the attacker-controlled GET parameter state, and during the OAuth2 configuration flow calls unserialize() on the access_token field without any class restriction. This issue has been patched in version 2.10.2.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-29782", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0008", "scoring_system": "epss", "scoring_elements": "0.23574", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.0008", "scoring_system": "epss", "scoring_elements": "0.23761", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.0008", "scoring_system": "epss", "scoring_elements": "0.23781", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.0008", "scoring_system": "epss", "scoring_elements": "0.23771", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-29782" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29782", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29782" }, { "reference_url": "https://github.com/devcode-it/openstamanager/commit/d2e38cbdf91a831cefc0da1548e02b297ae644cc", "reference_id": "d2e38cbdf91a831cefc0da1548e02b297ae644cc", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-03T19:52:40Z/" } ], "url": "https://github.com/devcode-it/openstamanager/commit/d2e38cbdf91a831cefc0da1548e02b297ae644cc" }, { "reference_url": "https://github.com/advisories/GHSA-whv5-4q2f-q68g", "reference_id": "GHSA-whv5-4q2f-q68g", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-whv5-4q2f-q68g" }, { "reference_url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-whv5-4q2f-q68g", "reference_id": "GHSA-whv5-4q2f-q68g", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-03T19:52:40Z/" } ], "url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-whv5-4q2f-q68g" }, { "reference_url": "https://github.com/devcode-it/openstamanager/releases/tag/v2.10.2", "reference_id": "v2.10.2", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-03T19:52:40Z/" } ], "url": "https://github.com/devcode-it/openstamanager/releases/tag/v2.10.2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373722?format=api", "purl": "pkg:composer/devcode-it/openstamanager@2.10.2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/devcode-it/openstamanager@2.10.2" } ], "aliases": [ "CVE-2026-29782", "GHSA-whv5-4q2f-q68g" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-kzsm-amyh-z7h7" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/82899?format=api", "vulnerability_id": "VCID-m5gj-5m2q-fqe6", "summary": "OpenSTAManager is an open source management software for technical assistance and invoicing. OpenSTAManager v2.9.8 and earlier contain a critical Error-Based SQL Injection vulnerability in the bulk operations handler for the Scadenzario (Payment Schedule) module. The application fails to validate that elements of the id_records array are integers before using them in an SQL IN() clause, allowing attackers to inject arbitrary SQL commands and extract sensitive data through XPATH error messages.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-24418", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03086", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03081", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03069", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03073", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-24418" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24418", "reference_id": "CVE-2026-24418", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24418" }, { "reference_url": "https://github.com/advisories/GHSA-4xwv-49c8-fvhq", "reference_id": "GHSA-4xwv-49c8-fvhq", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-4xwv-49c8-fvhq" }, { "reference_url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-4xwv-49c8-fvhq", "reference_id": "GHSA-4xwv-49c8-fvhq", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-02-06T18:47:55Z/" } ], "url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-4xwv-49c8-fvhq" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/940767?format=api", "purl": "pkg:composer/devcode-it/openstamanager@2.10-beta", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-8yfb-n5dh-xbab" }, { "vulnerability": "VCID-bfeu-e7dd-xfdm" }, { "vulnerability": "VCID-kp7s-72jv-cqg9" }, { "vulnerability": "VCID-kzsm-amyh-z7h7" }, { "vulnerability": "VCID-y5uk-by6v-tbct" }, { "vulnerability": "VCID-zf18-hsf6-huhu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/devcode-it/openstamanager@2.10-beta" } ], "aliases": [ "CVE-2026-24418", "GHSA-4xwv-49c8-fvhq" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-m5gj-5m2q-fqe6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/80331?format=api", "vulnerability_id": "VCID-mgj8-uc4s-ebby", "summary": "OpenSTAManager is an open source management software for technical assistance and invoicing. In 2.9.8 and earlier, a privilege escalation and authentication bypass vulnerability in OpenSTAManager allows any attacker to arbitrarily change a user's group (idgruppo) by directly calling modules/utenti/actions.php. This can promote an existing account (e.g. agent) into the Amministratori group as well as demote any user including existing administrators.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27012", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00046", "scoring_system": "epss", "scoring_elements": "0.14682", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00046", "scoring_system": "epss", "scoring_elements": "0.1471", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00046", "scoring_system": "epss", "scoring_elements": "0.14591", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00046", "scoring_system": "epss", "scoring_elements": "0.14712", "published_at": "2026-06-12T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-27012" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27012", "reference_id": "CVE-2026-27012", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27012" }, { "reference_url": "https://github.com/advisories/GHSA-247v-7cw6-q57v", "reference_id": "GHSA-247v-7cw6-q57v", "reference_type": "", "scores": [ { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-247v-7cw6-q57v" }, { "reference_url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-247v-7cw6-q57v", "reference_id": "GHSA-247v-7cw6-q57v", "reference_type": "", "scores": [ { "value": "9.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" }, { "value": "CRITICAL", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "CRITICAL", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-03-04T21:21:23Z/" } ], "url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-247v-7cw6-q57v" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/940767?format=api", "purl": "pkg:composer/devcode-it/openstamanager@2.10-beta", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-8yfb-n5dh-xbab" }, { "vulnerability": "VCID-bfeu-e7dd-xfdm" }, { "vulnerability": "VCID-kp7s-72jv-cqg9" }, { "vulnerability": "VCID-kzsm-amyh-z7h7" }, { "vulnerability": "VCID-y5uk-by6v-tbct" }, { "vulnerability": "VCID-zf18-hsf6-huhu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/devcode-it/openstamanager@2.10-beta" } ], "aliases": [ "CVE-2026-27012", "GHSA-247v-7cw6-q57v" ], "risk_score": 4.5, "exploitability": "0.5", "weighted_severity": "9.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-mgj8-uc4s-ebby" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/123711?format=api", "vulnerability_id": "VCID-tyyx-fdu3-k3ce", "summary": "OpenSTAManager is an open source management software for technical assistance and invoicing. In 2.9.8 and earlier, an SQL Injection vulnerability exists in the ajax_select.php endpoint when handling the componenti operation. An authenticated attacker can inject malicious SQL code through the options[matricola] parameter.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-69214", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.05633", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.05619", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.05627", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.05606", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-69214" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69214", "reference_id": "CVE-2025-69214", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69214" }, { "reference_url": "https://github.com/advisories/GHSA-qjv8-63xq-gq8m", "reference_id": "GHSA-qjv8-63xq-gq8m", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-qjv8-63xq-gq8m" }, { "reference_url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-qjv8-63xq-gq8m", "reference_id": "GHSA-qjv8-63xq-gq8m", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-09T15:20:52Z/" } ], "url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-qjv8-63xq-gq8m" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/940767?format=api", "purl": "pkg:composer/devcode-it/openstamanager@2.10-beta", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-8yfb-n5dh-xbab" }, { "vulnerability": "VCID-bfeu-e7dd-xfdm" }, { "vulnerability": "VCID-kp7s-72jv-cqg9" }, { "vulnerability": "VCID-kzsm-amyh-z7h7" }, { "vulnerability": "VCID-y5uk-by6v-tbct" }, { "vulnerability": "VCID-zf18-hsf6-huhu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/devcode-it/openstamanager@2.10-beta" } ], "aliases": [ "CVE-2025-69214", "GHSA-qjv8-63xq-gq8m" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-tyyx-fdu3-k3ce" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/82852?format=api", "vulnerability_id": "VCID-vwa6-3bwc-uqga", "summary": "OpenSTAManager is an open source management software for technical assistance and invoicing. OpenSTAManager v2.9.8 and earlier contain a critical Time-Based Blind SQL Injection vulnerability in the article pricing completion handler. The application fails to properly sanitize the idarticolo parameter before using it in SQL queries, allowing attackers to inject arbitrary SQL commands and extract sensitive data through time-based Boolean inference.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-24416", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03086", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03081", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03069", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03073", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-24416" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24416", "reference_id": "CVE-2026-24416", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24416" }, { "reference_url": "https://github.com/advisories/GHSA-p864-fqgv-92q4", "reference_id": "GHSA-p864-fqgv-92q4", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-p864-fqgv-92q4" }, { "reference_url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-p864-fqgv-92q4", "reference_id": "GHSA-p864-fqgv-92q4", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-02-09T15:20:55Z/" } ], "url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-p864-fqgv-92q4" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/940767?format=api", "purl": "pkg:composer/devcode-it/openstamanager@2.10-beta", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-8yfb-n5dh-xbab" }, { "vulnerability": "VCID-bfeu-e7dd-xfdm" }, { "vulnerability": "VCID-kp7s-72jv-cqg9" }, { "vulnerability": "VCID-kzsm-amyh-z7h7" }, { "vulnerability": "VCID-y5uk-by6v-tbct" }, { "vulnerability": "VCID-zf18-hsf6-huhu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/devcode-it/openstamanager@2.10-beta" } ], "aliases": [ "CVE-2026-24416", "GHSA-p864-fqgv-92q4" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-vwa6-3bwc-uqga" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/71798?format=api", "vulnerability_id": "VCID-y5uk-by6v-tbct", "summary": "OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.10.2, the Aggiornamenti (Updates) module in OpenSTAManager contains a database conflict resolution feature (op=risolvi-conflitti-database) that accepts a JSON array of SQL statements via POST and executes them directly against the database without any validation, allowlist, or sanitization. An authenticated attacker with access to the Aggiornamenti module can execute arbitrary SQL statements including CREATE, DROP, ALTER, INSERT, UPDATE, DELETE, SELECT INTO OUTFILE, and any other SQL command supported by the MySQL server. Foreign key checks are explicitly disabled before execution (SET FOREIGN_KEY_CHECKS=0), further reducing database integrity protections. This issue has been patched in version 2.10.2.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35168", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00039", "scoring_system": "epss", "scoring_elements": "0.12341", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00039", "scoring_system": "epss", "scoring_elements": "0.12326", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00039", "scoring_system": "epss", "scoring_elements": "0.12347", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00039", "scoring_system": "epss", "scoring_elements": "0.12247", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-35168" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35168", "reference_id": "", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35168" }, { "reference_url": "https://github.com/devcode-it/openstamanager/commit/43970676bcd6636ff8663652fd82579f737abb74", "reference_id": "43970676bcd6636ff8663652fd82579f737abb74", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-02T16:19:18Z/" } ], "url": "https://github.com/devcode-it/openstamanager/commit/43970676bcd6636ff8663652fd82579f737abb74" }, { "reference_url": "https://github.com/advisories/GHSA-2fr7-cc4f-wh98", "reference_id": "GHSA-2fr7-cc4f-wh98", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-2fr7-cc4f-wh98" }, { "reference_url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-2fr7-cc4f-wh98", "reference_id": "GHSA-2fr7-cc4f-wh98", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-02T16:19:18Z/" } ], "url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-2fr7-cc4f-wh98" }, { "reference_url": "https://github.com/devcode-it/openstamanager/releases/tag/v2.10.2", "reference_id": "v2.10.2", "reference_type": "", "scores": [ { "value": "8.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-02T16:19:18Z/" } ], "url": "https://github.com/devcode-it/openstamanager/releases/tag/v2.10.2" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/373722?format=api", "purl": "pkg:composer/devcode-it/openstamanager@2.10.2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/devcode-it/openstamanager@2.10.2" } ], "aliases": [ "CVE-2026-35168", "GHSA-2fr7-cc4f-wh98" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-y5uk-by6v-tbct" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/83148?format=api", "vulnerability_id": "VCID-yy49-aces-uugv", "summary": "OpenSTAManager is an open source management software for technical assistance and invoicing. OpenSTAManager v2.9.8 and earlier contain a critical Error-Based SQL Injection vulnerability in the Prima Nota (Journal Entry) module's add.php file. The application fails to validate that comma-separated values from the id_documenti GET parameter are integers before using them in SQL IN() clauses, allowing attackers to inject arbitrary SQL commands and extract sensitive data through XPATH error messages.", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-24419", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03086", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03081", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03073", "published_at": "2026-06-11T12:55:00Z" }, { "value": "0.00015", "scoring_system": "epss", "scoring_elements": "0.03069", "published_at": "2026-06-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-24419" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24419", "reference_id": "CVE-2026-24419", "reference_type": "", "scores": [ { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24419" }, { "reference_url": "https://github.com/advisories/GHSA-4j2x-jh4m-fqv6", "reference_id": "GHSA-4j2x-jh4m-fqv6", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-4j2x-jh4m-fqv6" }, { "reference_url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-4j2x-jh4m-fqv6", "reference_id": "GHSA-4j2x-jh4m-fqv6", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "8.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track*", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-02-06T18:30:04Z/" } ], "url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-4j2x-jh4m-fqv6" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/940767?format=api", "purl": "pkg:composer/devcode-it/openstamanager@2.10-beta", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-8yfb-n5dh-xbab" }, { "vulnerability": "VCID-bfeu-e7dd-xfdm" }, { "vulnerability": "VCID-kp7s-72jv-cqg9" }, { "vulnerability": "VCID-kzsm-amyh-z7h7" }, { "vulnerability": "VCID-y5uk-by6v-tbct" }, { "vulnerability": "VCID-zf18-hsf6-huhu" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/devcode-it/openstamanager@2.10-beta" } ], "aliases": [ "CVE-2026-24419", "GHSA-4j2x-jh4m-fqv6" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-yy49-aces-uugv" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/68098?format=api", "vulnerability_id": "VCID-zf18-hsf6-huhu", "summary": "OpenSTAManager version 2.10 and earlier contains an arbitrary file upload vulnerability in the module update functionality (modules/aggiornamenti/upload_modules.php)", "references": [ { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-38751", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00056", "scoring_system": "epss", "scoring_elements": "0.17991", "published_at": "2026-06-14T12:55:00Z" }, { "value": "0.00056", "scoring_system": "epss", "scoring_elements": "0.18015", "published_at": "2026-06-13T12:55:00Z" }, { "value": "0.00056", "scoring_system": "epss", "scoring_elements": "0.18", "published_at": "2026-06-12T12:55:00Z" }, { "value": "0.00056", "scoring_system": "epss", "scoring_elements": "0.17841", "published_at": "2026-06-11T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-38751" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-38751", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-38751" }, { "reference_url": "https://github.com/advisories/GHSA-rm34-fg4m-39mw", "reference_id": "GHSA-rm34-fg4m-39mw", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-rm34-fg4m-39mw" }, { "reference_url": "https://github.com/devcode-it/openstamanager", "reference_id": "openstamanager", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-05T13:15:57Z/" } ], "url": "https://github.com/devcode-it/openstamanager" }, { "reference_url": "https://github.com/fuutianyii/poc", "reference_id": "poc", "reference_type": "", "scores": [ { "value": "7.2", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:T/P:M/B:A/M:M/D:T/2026-05-05T13:15:57Z/" } ], "url": "https://github.com/fuutianyii/poc" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/990141?format=api", "purl": "pkg:composer/devcode-it/openstamanager@2.10.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-8yfb-n5dh-xbab" }, { "vulnerability": "VCID-bfeu-e7dd-xfdm" }, { "vulnerability": "VCID-kzsm-amyh-z7h7" }, { "vulnerability": "VCID-y5uk-by6v-tbct" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/devcode-it/openstamanager@2.10.1" } ], "aliases": [ "CVE-2026-38751", "GHSA-rm34-fg4m-39mw" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-zf18-hsf6-huhu" } ], "fixing_vulnerabilities": [], "risk_score": "4.5", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:composer/devcode-it/openstamanager@2.7.2" }