CVE-2025-69213

HIGH

Devcode-it Openstamanager - SQL Injection

Title source: rule

Description

OpenSTAManager is an open source management software for technical assistance and invoicing. In version 2.9.8 and prior, a SQL Injection vulnerability exists in the ajax_complete.php endpoint when handling the get_sedi operation. An authenticated attacker can inject malicious SQL code through the idanagrafica parameter, leading to unauthorized database access. At time of publication, no known patch exists.

Exploits (1)

nomisec WRITEUP

by lukasz-rybak · poc

https://github.com/lukasz-rybak/CVE-2025-69213

View Code ZIP pw:eip

References (1)

[Vendor Advisory] https://github.com/devcode-it/openstamanager/security/advisories/GHSA-w995-ff8h-rppg

Scores

CVSS v3 8.8

EPSS 0.0004

EPSS Percentile 13.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-89

Status published

Products (2)

devcode/openstamanager < 2.9.8

devcode-it/openstamanager 0Packagist

Published Feb 04, 2026

Tracked Since Feb 18, 2026