CVE-2026-24417: OpenSTAManager has a Time-Based Blind SQL Injection with Amplified Denial of Service
Critical Time-Based Blind SQL Injection vulnerability affecting multiple search modules in OpenSTAManager v2.9.8 allows authenticated attackers to extract sensitive database contents including password hashes, customer data, and financial records through time-based Boolean inference attacks with amplified execution across 10+ modules.
Status: ✅ Confirmed and tested on live instance (v2.9.8)
Vulnerable Parameter: term (GET)
Affected Endpoint: /ajax_search.php
Affected Modules: Articoli, Ordini, DDT, Fatture, Preventivi, Anagrafiche, Impianti, Contratti, Automezzi, Interventi
References
Code Behaviors & Features
Detect and mitigate CVE-2026-24417 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →