{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28805", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-03T14:25:19.246Z", "datePublished": "2026-04-02T13:44:07.063Z", "dateUpdated": "2026-04-02T18:31:08.958Z"}, "containers": {"cna": {"title": "OpenSTAManager: Time-Based Blind SQL Injection via `options[stato]` Parameter", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-3gw8-3mg3-jmpc", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-3gw8-3mg3-jmpc"}, {"name": "https://github.com/devcode-it/openstamanager/commit/50b9089c506ba2ca249afb1dfead2af5d42c10e7", "tags": ["x_refsource_MISC"], "url": "https://github.com/devcode-it/openstamanager/commit/50b9089c506ba2ca249afb1dfead2af5d42c10e7"}, {"name": "https://github.com/devcode-it/openstamanager/commit/679c40fa5b3acad4263b537f367c0695ff9666dc", "tags": ["x_refsource_MISC"], "url": "https://github.com/devcode-it/openstamanager/commit/679c40fa5b3acad4263b537f367c0695ff9666dc"}, {"name": "https://github.com/devcode-it/openstamanager/releases/tag/v2.10.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/devcode-it/openstamanager/releases/tag/v2.10.2"}], "affected": [{"vendor": "devcode-it", "product": "openstamanager", "versions": [{"version": "< 2.10.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T13:44:07.063Z"}, "descriptions": [{"lang": "en", "value": "OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.10.2, multiple AJAX select handlers in OpenSTAManager are vulnerable to Time-Based Blind SQL Injection through the options[stato] GET parameter. The user-supplied value is read from $superselect['stato'] and concatenated directly into SQL WHERE clauses as a bare expression, without any sanitization, parameterization, or allowlist validation. An authenticated attacker can inject arbitrary SQL statements to extract sensitive data from the database, including usernames, password hashes, financial records, and any other information stored in the MySQL database. This issue has been patched in version 2.10.2."}], "source": {"advisory": "GHSA-3gw8-3mg3-jmpc", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-02T18:30:58.710195Z", "id": "CVE-2026-28805", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T18:31:08.958Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-28805", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-03T14:25:19.246Z", "datePublished": "2026-04-02T13:44:07.063Z", "dateUpdated": "2026-04-02T18:31:08.958Z"}, "containers": {"cna": {"title": "OpenSTAManager: Time-Based Blind SQL Injection via `options[stato]` Parameter", "problemTypes": [{"descriptions": [{"cweId": "CWE-89", "lang": "en", "description": "CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-3gw8-3mg3-jmpc", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-3gw8-3mg3-jmpc"}, {"name": "https://github.com/devcode-it/openstamanager/commit/50b9089c506ba2ca249afb1dfead2af5d42c10e7", "tags": ["x_refsource_MISC"], "url": "https://github.com/devcode-it/openstamanager/commit/50b9089c506ba2ca249afb1dfead2af5d42c10e7"}, {"name": "https://github.com/devcode-it/openstamanager/commit/679c40fa5b3acad4263b537f367c0695ff9666dc", "tags": ["x_refsource_MISC"], "url": "https://github.com/devcode-it/openstamanager/commit/679c40fa5b3acad4263b537f367c0695ff9666dc"}, {"name": "https://github.com/devcode-it/openstamanager/releases/tag/v2.10.2", "tags": ["x_refsource_MISC"], "url": "https://github.com/devcode-it/openstamanager/releases/tag/v2.10.2"}], "affected": [{"vendor": "devcode-it", "product": "openstamanager", "versions": [{"version": "< 2.10.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T13:44:07.063Z"}, "descriptions": [{"lang": "en", "value": "OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.10.2, multiple AJAX select handlers in OpenSTAManager are vulnerable to Time-Based Blind SQL Injection through the options[stato] GET parameter. The user-supplied value is read from $superselect['stato'] and concatenated directly into SQL WHERE clauses as a bare expression, without any sanitization, parameterization, or allowlist validation. An authenticated attacker can inject arbitrary SQL statements to extract sensitive data from the database, including usernames, password hashes, financial records, and any other information stored in the MySQL database. This issue has been patched in version 2.10.2."}], "source": {"advisory": "GHSA-3gw8-3mg3-jmpc", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-28805", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-02T18:30:58.710195Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T18:31:04.161Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.10.2, multiple AJAX select handlers in OpenSTAManager are vulnerable to Time-Based Blind SQL Injection through the options[stato] GET parameter. The user-supplied value is read from $superselect['stato'] and concatenated directly into SQL WHERE clauses as a bare expression, without any sanitization, parameterization, or allowlist validation. An authenticated attacker can inject arbitrary SQL statements to extract sensitive data from the database, including usernames, password hashes, financial records, and any other information stored in the MySQL database. This issue has been patched in version 2.10.2."}], "id": "CVE-2026-28805", "lastModified": "2026-04-02T14:16:26.400", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-02T14:16:26.400", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/devcode-it/openstamanager/commit/50b9089c506ba2ca249afb1dfead2af5d42c10e7"}, {"source": "security-advisories@github.com", "url": "https://github.com/devcode-it/openstamanager/commit/679c40fa5b3acad4263b537f367c0695ff9666dc"}, {"source": "security-advisories@github.com", "url": "https://github.com/devcode-it/openstamanager/releases/tag/v2.10.2"}, {"source": "security-advisories@github.com", "url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-3gw8-3mg3-jmpc"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-89"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,2.10.2)"}}], "enrichment": {"confidence": 94.0, "confidence_source": "matching", "scores": [{"score": 94.0, "source": "matching"}]}, "original": {"product": "openstamanager", "source": "cna", "vendor": "devcode-it"}, "product": "openstamanager", "vendor": "devcode"}], "analysis": {"en": {"generated_at": "2026-04-02T15:24:29.692071+00:00", "value": {"mitigation_remediation": ["Update OpenSTAManager to version 2.10.2 or later, which contains the patch that sanitizes the options[stato] input and removes the injection vector.", "Verify that the application is correctly operating with the updated version and that no legacy code paths remain exposed to the vulnerable parameter.", "Monitor authentication logs and database query activity for any signs of unauthorized data extraction, and consider disabling or restricting the vulnerable AJAX endpoints until the patch is confirmed to be in place."], "summary": {"action": "Apply Patch", "impact": "Confidentiality breach through SQL injection"}, "threat_synthesis": {"affected_systems": "The issue impacts the devcode\u2011it OpenSTAManager application. All releases prior to version 2.10.2 are affected. The patch referenced in the commit logs and release notes of v2.10.2 resolves the injection vector by sanitizing the options[stato] input and parameterizing the SQL statement.", "description_and_impact": "OpenSTAManager suffers a time\u2011based blind SQL injection that arises from the unvalidated options[stato] GET parameter in several AJAX select handlers. The user supplied value is placed directly into a SQL WHERE clause as a bare expression, allowing an attacker to inject arbitrary SQL instructions. This enables the extraction of sensitive information such as usernames, password hashes, financial records, and any other data stored in the MySQL database. The vulnerability leverages broken input handling (CWE\u201189) and can lead to a full data compromise if exploited.", "risk_and_exploitability": "The CVSS score of 8.8 classifies this as high severity, indicating significant risk. Although EPSS information is not available, the attack path requires an authenticated session and the ability to request the vulnerable AJAX endpoint, which is typically accessible to legitimate users with access rights. The vulnerability is not listed in CISA\u2019s KEV catalog, but the underlying data exposure risk remains substantial. The likely attack vector is a crafted AJAX request from an authenticated user's browser, potentially amplified by login privileges."}}}}, "created": "2026-04-02T20:12:30.445496+00:00", "updated": "2026-04-02T20:21:11.377442+00:00", "vendors": ["devcode", "devcode$PRODUCT$openstamanager"]}