CVE-2026-24418

MEDIUM

OpenSTAManager <2.9.8 - SQL Injection

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-24418. PoCs published by lukasz-rybak.

AI-analyzed exploit summary This repository provides a detailed technical analysis of CVE-2026-24418, an error-based SQL injection vulnerability in OpenSTAManager's Scadenzario module. It includes root cause analysis, patch recommendations, and proof-of-concept curl commands demonstrating the exploit.

Description

OpenSTAManager is an open source management software for technical assistance and invoicing. OpenSTAManager v2.9.8 and earlier contain a critical Error-Based SQL Injection vulnerability in the bulk operations handler for the Scadenzario (Payment Schedule) module. The application fails to validate that elements of the id_records array are integers before using them in an SQL IN() clause, allowing attackers to inject arbitrary SQL commands and extract sensitive data through XPATH error messages.

Exploits (1)

nomisec WRITEUP
by lukasz-rybak · poc
https://github.com/lukasz-rybak/CVE-2026-24418

This repository provides a detailed technical analysis of CVE-2026-24418, an error-based SQL injection vulnerability in OpenSTAManager's Scadenzario module. It includes root cause analysis, patch recommendations, and proof-of-concept curl commands demonstrating the exploit.

Classification
Writeup 100%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: OpenSTAManager <= 2.9.8
Auth required
Prerequisites: Authenticated access to the Scadenzario module
devstral-2 · analyzed Apr 12, 2026 Full analysis →

References (1)

Core 1
Core References

Scores

CVSS v3 6.5
EPSS 0.0001
EPSS Percentile 3.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation poc
Automatable no
Technical Impact total

Details

CWE
CWE-89
Status published
Products (2)
devcode/openstamanager < 2.9.8
devcode-it/openstamanager 0Packagist
Published Feb 06, 2026
Tracked Since Feb 18, 2026