CVE-2026-24416: OpenSTAManager has a Time-Based Blind SQL Injection in Article Pricing Module

February 6, 2026

Critical Time-Based Blind SQL Injection vulnerability in the article pricing module of OpenSTAManager v2.9.8 allows authenticated attackers to extract complete database contents including user credentials, customer data, and financial records through time-based Boolean inference attacks.

Status: ✅ Confirmed and tested on live instance (v2.9.8) end demo.osmbusiness.it (v2.9.7) Vulnerable Parameter: idarticolo (GET) Affected Endpoint: /ajax_complete.php?op=getprezzi Affected Module: Articoli (Articles/Products)

References

github.com/advisories/GHSA-p864-fqgv-92q4
github.com/devcode-it/openstamanager
github.com/devcode-it/openstamanager/security/advisories/GHSA-p864-fqgv-92q4
nvd.nist.gov/vuln/detail/CVE-2026-24416

Code Behaviors & Features

Detect and mitigate CVE-2026-24416 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →