CVE-2026-24416

MEDIUM

OpenSTAManager <2.9.8 - SQL Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-24416. PoCs published by lukasz-rybak.

AI-analyzed exploit summary This repository provides a detailed technical analysis of CVE-2026-24416, a Time-Based Blind SQL Injection vulnerability in OpenSTAManager's article pricing module. It includes root cause analysis, patch diffs, and step-by-step PoC instructions for verification and data extraction.

Description

OpenSTAManager is an open source management software for technical assistance and invoicing. OpenSTAManager v2.9.8 and earlier contain a critical Time-Based Blind SQL Injection vulnerability in the article pricing completion handler. The application fails to properly sanitize the idarticolo parameter before using it in SQL queries, allowing attackers to inject arbitrary SQL commands and extract sensitive data through time-based Boolean inference.

Exploits (1)

nomisec WRITEUP
by lukasz-rybak · poc
https://github.com/lukasz-rybak/CVE-2026-24416

This repository provides a detailed technical analysis of CVE-2026-24416, a Time-Based Blind SQL Injection vulnerability in OpenSTAManager's article pricing module. It includes root cause analysis, patch diffs, and step-by-step PoC instructions for verification and data extraction.

Classification
Writeup 100%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: devcode-it/openstamanager (versions <= 2.9.8)
Auth required
Prerequisites: authenticated access to the application · valid session cookies
devstral-2 · analyzed Apr 12, 2026 Full analysis →

References (1)

Core 1
Core References

Scores

CVSS v3 6.5
EPSS 0.0001
EPSS Percentile 3.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact total

Details

CWE
CWE-89
Status published
Products (2)
devcode/openstamanager < 2.9.8
devcode-it/openstamanager 0Packagist
Published Feb 06, 2026
Tracked Since Feb 18, 2026