CVE-2025-65103: OpenSTAManager has Authenticated SQL Injection in API via 'display' parameter

November 19, 2025

An authenticated SQL Injection vulnerability in the API allows any user, regardless of permission level, to execute arbitrary SQL queries. By manipulating the display parameter in an API request, an attacker can exfiltrate, modify, or delete any data in the database, leading to a full system compromise.

References

github.com/advisories/GHSA-2jm2-2p35-rp3j
github.com/devcode-it/openstamanager
github.com/devcode-it/openstamanager/security/advisories/GHSA-2jm2-2p35-rp3j
nvd.nist.gov/vuln/detail/CVE-2025-65103

Code Behaviors & Features

Detect and mitigate CVE-2025-65103 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →