Exploit for SQL Injection in Devcode Openstamanager CVE-2026-24417

## https://sploitus.com/exploit?id=6A03BE12-0C8F-5E56-88BD-6BA537726F79
# CVE-2026-24417: OpenSTAManager has a Time-Based Blind SQL Injection with Amplified Denial of Service

## Overview

| Field | Details |
|---|---|
| **CVE ID** | CVE-2026-24417 |
| **Vulnerability Type** | SQL Injection |
| **Severity** | HIGH |
| **Discovered by** | [Lukasz Rybak](https://github.com/lukasz-rybak) |

## Description

### Summary

Critical Time-Based Blind SQL Injection vulnerability affecting **multiple search modules** in OpenSTAManager v2.9.8 allows authenticated attackers to extract sensitive database contents including password hashes, customer data, and financial records through time-based Boolean inference attacks with **amplified execution** across 10+ modules.

**Status:** ✅ Confirmed and tested on live instance (v2.9.8)
**Vulnerable Parameter:** `term` (GET)
**Affected Endpoint:** `/ajax_search.php`
**Affected Modules:** Articoli, Ordini, DDT, Fatture, Preventivi, Anagrafiche, Impianti, Contratti, Automezzi, Interventi

### Details

OpenSTAManager v2.9.8 contains a critical Time-Based Blind SQL Injection vulnerability in the global search functionality. The application fails to properly saniti...

## Affected Products

- **devcode-it/openstamanager** (versions: < 2.9.8)


## CWE Classification

- CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')


## References

- https://github.com/devcode-it/openstamanager/security/advisories/GHSA-4hc4-8599-xh2h
- https://nvd.nist.gov/vuln/detail/CVE-2026-24417
- https://github.com/advisories/GHSA-4hc4-8599-xh2h


## Disclaimer

This CVE was responsibly disclosed following coordinated vulnerability disclosure practices. The information provided here is for educational and defensive purposes only.