Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-bfeu-e7dd-xfdm
Vulnerability ID VCID-bfeu-e7dd-xfdm
Aliases CVE-2026-28805
GHSA-3gw8-3mg3-jmpc
Summary OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.10.2, multiple AJAX select handlers in OpenSTAManager are vulnerable to Time-Based Blind SQL Injection through the options[stato] GET parameter. The user-supplied value is read from $superselect['stato'] and concatenated directly into SQL WHERE clauses as a bare expression, without any sanitization, parameterization, or allowlist validation. An authenticated attacker can inject arbitrary SQL statements to extract sensitive data from the database, including usernames, password hashes, financial records, and any other information stored in the MySQL database. This issue has been patched in version 2.10.2.
Status Published
Exploitability 0.5
Weighted Severity 8.0
Risk 4.0
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
epss 0.00017 https://api.first.org/data/v1/epss?cve=CVE-2026-28805
epss 0.00017 https://api.first.org/data/v1/epss?cve=CVE-2026-28805
epss 0.00017 https://api.first.org/data/v1/epss?cve=CVE-2026-28805
cvssv3.1_qr HIGH https://github.com/advisories/GHSA-3gw8-3mg3-jmpc
cvssv3.1 8.8 https://github.com/devcode-it/openstamanager
generic_textual HIGH https://github.com/devcode-it/openstamanager
cvssv3.1 8.8 https://github.com/devcode-it/openstamanager/commit/50b9089c506ba2ca249afb1dfead2af5d42c10e7
generic_textual HIGH https://github.com/devcode-it/openstamanager/commit/50b9089c506ba2ca249afb1dfead2af5d42c10e7
ssvc Track* https://github.com/devcode-it/openstamanager/commit/50b9089c506ba2ca249afb1dfead2af5d42c10e7
cvssv3.1 8.8 https://github.com/devcode-it/openstamanager/commit/679c40fa5b3acad4263b537f367c0695ff9666dc
generic_textual HIGH https://github.com/devcode-it/openstamanager/commit/679c40fa5b3acad4263b537f367c0695ff9666dc
ssvc Track* https://github.com/devcode-it/openstamanager/commit/679c40fa5b3acad4263b537f367c0695ff9666dc
cvssv3.1 8.8 https://github.com/devcode-it/openstamanager/releases/tag/v2.10.2
generic_textual HIGH https://github.com/devcode-it/openstamanager/releases/tag/v2.10.2
ssvc Track* https://github.com/devcode-it/openstamanager/releases/tag/v2.10.2
cvssv3.1 8.8 https://github.com/devcode-it/openstamanager/security/advisories/GHSA-3gw8-3mg3-jmpc
cvssv3.1_qr HIGH https://github.com/devcode-it/openstamanager/security/advisories/GHSA-3gw8-3mg3-jmpc
generic_textual HIGH https://github.com/devcode-it/openstamanager/security/advisories/GHSA-3gw8-3mg3-jmpc
ssvc Track* https://github.com/devcode-it/openstamanager/security/advisories/GHSA-3gw8-3mg3-jmpc
cvssv3.1 8.8 https://nvd.nist.gov/vuln/detail/CVE-2026-28805
generic_textual HIGH https://nvd.nist.gov/vuln/detail/CVE-2026-28805
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2026-28805
https://nvd.nist.gov/vuln/detail/CVE-2026-28805
50b9089c506ba2ca249afb1dfead2af5d42c10e7 https://github.com/devcode-it/openstamanager/commit/50b9089c506ba2ca249afb1dfead2af5d42c10e7
679c40fa5b3acad4263b537f367c0695ff9666dc https://github.com/devcode-it/openstamanager/commit/679c40fa5b3acad4263b537f367c0695ff9666dc
GHSA-3gw8-3mg3-jmpc https://github.com/advisories/GHSA-3gw8-3mg3-jmpc
GHSA-3gw8-3mg3-jmpc https://github.com/devcode-it/openstamanager/security/advisories/GHSA-3gw8-3mg3-jmpc
v2.10.2 https://github.com/devcode-it/openstamanager/releases/tag/v2.10.2
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/devcode-it/openstamanager
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/devcode-it/openstamanager/commit/50b9089c506ba2ca249afb1dfead2af5d42c10e7
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-02T18:30:58Z/ Found at https://github.com/devcode-it/openstamanager/commit/50b9089c506ba2ca249afb1dfead2af5d42c10e7
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/devcode-it/openstamanager/commit/679c40fa5b3acad4263b537f367c0695ff9666dc
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-02T18:30:58Z/ Found at https://github.com/devcode-it/openstamanager/commit/679c40fa5b3acad4263b537f367c0695ff9666dc
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/devcode-it/openstamanager/releases/tag/v2.10.2
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-02T18:30:58Z/ Found at https://github.com/devcode-it/openstamanager/releases/tag/v2.10.2
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://github.com/devcode-it/openstamanager/security/advisories/GHSA-3gw8-3mg3-jmpc
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-04-02T18:30:58Z/ Found at https://github.com/devcode-it/openstamanager/security/advisories/GHSA-3gw8-3mg3-jmpc
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2026-28805
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.04389
EPSS Score 0.00017
Published At June 11, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-06-11T16:43:59.466452+00:00 Vulnrichment Import https://github.com/cisagov/vulnrichment/blob/develop/2026/28xxx/CVE-2026-28805.json 38.6.0