CVE-2026-29782

Published: Apr 2, 2026Modified: Apr 7, 2026

7.2

Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.2 / Impact: 5.9

Source: NVD

Description

OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.10.2, the oauth2.php file in OpenSTAManager is an unauthenticated endpoint ($skip_permissions = true). It loads a record from the zz_oauth2 table using the attacker-controlled GET parameter state, and during the OAuth2 configuration flow calls unserialize() on the access_token field without any class restriction. This issue has been patched in version 2.10.2.

Affected (1)

Products: Devcode: Openstamanager

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Devcode Openstamanager	Before 2.10.2

Related CWEs

Deserialization of Untrusted Data

The product deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

References (3)

https://github.com/devcode-it/openstamanager/commit/d2e38cbdf91a831cefc0da1548e02b297ae644cc

Source: security-advisories@github.com

Patch

https://github.com/devcode-it/openstamanager/releases/tag/v2.10.2

Source: security-advisories@github.com

ProductRelease Notes

https://github.com/devcode-it/openstamanager/security/advisories/GHSA-whv5-4q2f-q68g

Source: security-advisories@github.com

ExploitMitigationVendor Advisory

Timeline

No history available yet.