CVE-2026-24419 – OpenSTAManager v2.9.8 and earlier contain a cri... (How to Fix)

Q: What is the severity of CVE-2026-24419?

CVE-2026-24419 has a CVSS score of 6.5 (MEDIUM). OpenSTAManager v2.9.8 and earlier contain a critical SQL injection vulnerability in the Journal Entry module. Attackers can inject arbitrary SQL commands through the id_documenti parameter to extract sensitive database information via error messages. All users running affected versions are vulnerable.

📋 TL;DR

OpenSTAManager v2.9.8 and earlier contain a critical SQL injection vulnerability in the Journal Entry module. Attackers can inject arbitrary SQL commands through the id_documenti parameter to extract sensitive database information via error messages. All users running affected versions are vulnerable.

💻 Affected Systems

Products:

OpenSTAManager

Versions: v2.9.8 and earlier

Operating Systems: All platforms running OpenSTAManager

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in default installation when Prima Nota module is enabled.

📦 What is this software?

Openstamanager by Devcode

View all CVEs affecting Openstamanager →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database compromise including extraction of all user credentials, financial data, customer information, and potential system takeover.

🟠

Likely Case

Extraction of sensitive business data including customer information, financial records, and authentication credentials leading to data breach.

🟢

If Mitigated

Limited data exposure if database permissions are restricted, but still significant information disclosure risk.

🌐 Internet-Facing: HIGH - Web applications exposed to internet are directly vulnerable to remote exploitation.

🏢 Internal Only: HIGH - Internal attackers or compromised internal systems can exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires no authentication and uses simple SQL injection techniques with error-based extraction.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v2.9.9 or later

Vendor Advisory: https://github.com/devcode-it/openstamanager/security/advisories/GHSA-4j2x-jh4m-fqv6

Restart Required: No

Instructions:

1. Backup your OpenSTAManager installation and database. 2. Download latest version from official repository. 3. Replace affected files, particularly add.php in Prima Nota module. 4. Verify the fix by testing the vulnerable endpoint.

🔧 Temporary Workarounds

Input Validation Filter

all

Add server-side validation to ensure id_documenti parameter contains only integers and commas

Modify add.php to validate: if (!preg_match('/^[0-9,]+$/', $_GET['id_documenti'])) { die('Invalid input'); }

WAF Rule

all

Implement web application firewall rule to block SQL injection patterns in GET parameters

Add WAF rule: Detect and block patterns like UNION, SELECT, FROM, WHERE in id_documenti parameter

🧯 If You Can't Patch

Disable Prima Nota module completely if not required
Implement strict network segmentation and limit access to OpenSTAManager to trusted IPs only

🔍 How to Verify

Check if Vulnerable:

Test by accessing /prima_nota/add.php?id_documenti=1' OR test the endpoint with SQL injection payloads and observe error responses.

Check Version:

Check OpenSTAManager version in admin panel or review version.php file

Verify Fix Applied:

Attempt SQL injection payloads on the patched endpoint and verify no database errors are returned and input is properly sanitized.

📡 Detection & Monitoring

Log Indicators:

Unusual SQL error messages in application logs
Multiple requests to /prima_nota/add.php with SQL-like parameters
XPATH error messages in logs

Network Indicators:

HTTP GET requests containing SQL keywords in id_documenti parameter
Unusual database query patterns from web server

SIEM Query:

source="web_logs" AND uri_path="/prima_nota/add.php" AND (query_string="*UNION*" OR query_string="*SELECT*" OR query_string="*FROM*")

📊 Metadata

CVE ID: CVE-2026-24419

CVSS v3 Score: 6.5 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-89

EPSS Score: 0.03% exploit probability (7.1th percentile)

Published: February 6, 2026

Last Updated: February 9, 2026

🔗 References

https://github.com/devcode-it/openstamanager/security/advisories/GHSA-4j2x-jh4m-fqv6 Exploit,Vendor Advisory
https://github.com/devcode-it/openstamanager/security/advisories/GHSA-4j2x-jh4m-fqv6 Exploit,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-24419, you might also want to check these: