CVE-2026-24419: OpenSTAManager has a SQL Injection in the Prima Nota module

February 6, 2026

Critical Error-Based SQL Injection vulnerability in the Prima Nota (Journal Entry) module of OpenSTAManager v2.9.8 allows authenticated attackers to extract complete database contents including user credentials, customer PII, and financial records through XML error messages by injecting malicious SQL into URL parameters.

Status: ✅ Confirmed and tested on live instance (v2.9.8) Vulnerable Parameters: id_documenti (GET parameters) Affected Endpoint: /modules/primanota/add.php Attack Type: Error-Based SQL Injection (IN clause)

References

github.com/advisories/GHSA-4j2x-jh4m-fqv6
github.com/devcode-it/openstamanager
github.com/devcode-it/openstamanager/security/advisories/GHSA-4j2x-jh4m-fqv6
nvd.nist.gov/vuln/detail/CVE-2026-24419

Code Behaviors & Features

Detect and mitigate CVE-2026-24419 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →