CVE-2025-69216

MEDIUM

Devcode Openstamanager < 2.9.8 - SQL Injection

Title source: rule

Description

OpenSTAManager is an open source management software for technical assistance and invoicing. In 2.9.8 and earlier, an authenticated SQL injection vulnerability in OpenSTAManager's Scadenzario (Payment Schedule) print template allows any authenticated user to extract sensitive data from the database, including admin credentials, customer information, and financial records. The vulnerability exists in templates/scadenzario/init.php, where the id_anagrafica parameter is directly concatenated into an SQL query without proper sanitization. The vulnerability enables complete database read access through error-based SQL injection techniques.

Exploits (1)

nomisec WRITEUP

by lukasz-rybak · poc

https://github.com/lukasz-rybak/CVE-2025-69216

View Code ZIP pw:eip

References (1)

[Exploit, Vendor Advisory] https://github.com/devcode-it/openstamanager/security/advisories/GHSA-q6g3-fv43-m2w6

Scores

CVSS v3 6.5

EPSS 0.0001

EPSS Percentile 2.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Details

CWE

CWE-89

Status published

Products (2)

devcode/openstamanager < 2.9.8

devcode-it/openstamanager 0Packagist

Published Feb 06, 2026

Tracked Since Feb 18, 2026