## https://sploitus.com/exploit?id=126355E4-E69A-5DAE-9676-3AE959FBBA51
# CVE-2026-24416: OpenSTAManager has a Time-Based Blind SQL Injection in Article Pricing Module
## Overview
| Field | Details |
|---|---|
| **CVE ID** | CVE-2026-24416 |
| **Vulnerability Type** | SQL Injection |
| **Severity** | HIGH |
| **Discovered by** | [Lukasz Rybak](https://github.com/lukasz-rybak) |
## Description
### Summary
Critical Time-Based Blind SQL Injection vulnerability in the article pricing module of OpenSTAManager v2.9.8 allows authenticated attackers to extract complete database contents including user credentials, customer data, and financial records through time-based Boolean inference attacks.
**Status:** โ Confirmed and tested on live instance (v2.9.8) end [demo.osmbusiness.it](https://demo.osmbusiness.it/) (v2.9.7)
**Vulnerable Parameter:** `idarticolo` (GET)
**Affected Endpoint:** `/ajax_complete.php?op=getprezzi`
**Affected Module:** Articoli (Articles/Products)
### Details
OpenSTAManager v2.9.8 contains a critical Time-Based Blind SQL Injection vulnerability in the article pricing completion handler. The application fails to properly sanitize the `idarticolo` parameter befor...
## Affected Products
- **devcode-it/openstamanager** (versions: <= 2.9.8)
## CWE Classification
- CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
## References
- https://github.com/devcode-it/openstamanager/security/advisories/GHSA-p864-fqgv-92q4
- https://nvd.nist.gov/vuln/detail/CVE-2026-24416
- https://github.com/advisories/GHSA-p864-fqgv-92q4
## Disclaimer
This CVE was responsibly disclosed following coordinated vulnerability disclosure practices. The information provided here is for educational and defensive purposes only.