CVE-2026-38751

HIGH

OpenSTAManager <=2.10 - Arbitrary File Upload

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-38751. PoCs published by fuutianyii.

AI-analyzed exploit summary This repository contains a functional exploit for CVE-2026-38751, targeting OpenSTAManager versions <= 2.10. The exploit leverages an arbitrary file upload vulnerability to achieve remote code execution (RCE) by uploading a malicious ZIP file containing a PHP webshell.

Description

OpenSTAManager version 2.10 and earlier contains an arbitrary file upload vulnerability in the module update functionality (modules/aggiornamenti/upload_modules.php)

Exploits (1)

github WORKING POC

by fuutianyii · pythonpoc

https://github.com/fuutianyii/poc

View Code ZIP pw:eip

This repository contains a functional exploit for CVE-2026-38751, targeting OpenSTAManager versions <= 2.10. The exploit leverages an arbitrary file upload vulnerability to achieve remote code execution (RCE) by uploading a malicious ZIP file containing a PHP webshell.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: OpenSTAManager <= 2.10

Auth required

Prerequisites: valid credentials for OpenSTAManager · network access to the target · update functionality enabled

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed May 05, 2026 Full analysis →

References (2)

Core 2

Core References

https://github.com/fuutianyii/poc

https://github.com/devcode-it/openstamanager

Scores

CVSS v3 7.2

EPSS 0.0037

EPSS Percentile 28.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-434

Status published

Products (2)

devcode/openstamanager < 2.10

devcode-it/openstamanager 0 - 2.10-betaPackagist

Published May 04, 2026

Tracked Since May 05, 2026