Exploit for SQL Injection in Devcode Openstamanager CVE-2026-24419

## https://sploitus.com/exploit?id=42AFFFD5-A5A4-543F-BEAA-864EF4064EF4
# CVE-2026-24419: OpenSTAManager has a SQL Injection in the Prima Nota  module 

## Overview

| Field | Details |
|---|---|
| **CVE ID** | CVE-2026-24419 |
| **Vulnerability Type** | SQL Injection |
| **Severity** | HIGH |
| **Discovered by** | [Lukasz Rybak](https://github.com/lukasz-rybak) |

## Description

### Summary

Critical Error-Based SQL Injection vulnerability in the Prima Nota (Journal Entry) module of OpenSTAManager v2.9.8 allows authenticated attackers to extract complete database contents including user credentials, customer PII, and financial records through XML error messages by injecting malicious SQL into URL parameters.

**Status:** ✅ Confirmed and tested on live instance (v2.9.8)
**Vulnerable Parameters:** `id_documenti` (GET parameters)
**Affected Endpoint:** `/modules/primanota/add.php`
**Attack Type:** Error-Based SQL Injection (IN clause)

### Details

OpenSTAManager v2.9.8 contains a critical Error-Based SQL Injection vulnerability in the Prima Nota (Journal Entry) module's add.php file. The application fails to validate that comma-separated values from GET parameters a...

## Affected Products

- **devcode-it/openstamanager** (versions: <= 2.9.8)


## CWE Classification

- CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')


## References

- https://github.com/devcode-it/openstamanager/security/advisories/GHSA-4j2x-jh4m-fqv6
- https://nvd.nist.gov/vuln/detail/CVE-2026-24419
- https://github.com/advisories/GHSA-4j2x-jh4m-fqv6


## Disclaimer

This CVE was responsibly disclosed following coordinated vulnerability disclosure practices. The information provided here is for educational and defensive purposes only.