Vulnerability DatabaseCVE-2026-24415
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2026-24415
Published:March 03, 2026
Updated:June 27, 2026
OpenSTAManager is an open source management software for technical assistance and invoicing. OpenSTAManager v2.9.8 and earlier contains Reflected XSS vulnerabilities in invoice/order/contract modification modals. The application fails to properly sanitize user-supplied input from the righe GET parameter before reflecting it in HTML output.The $_GET['righe'] parameter is directly echoed into the HTML value attribute without any sanitization using htmlspecialchars() or equivalent functions. This allows an attacker to break out of the attribute context and inject arbitrary HTML/JavaScript.
Affected Packages
devcode-it/openstamanager (PHP):
Affected version(s) >=dev-dependabot/composer/davidepastore/codice-fiscale-tw-0.10.0 <v2.9.8
Fix Suggestion:
Update to version v2.9.8
Related Resources (4)
https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/24xxx/CVE-2026-24415.json
https://github.com/devcode-it/openstamanager
https://nvd.nist.gov/vuln/detail/CVE-2026-24415
https://github.com/devcode-it/openstamanager/security/advisories/GHSA-jfgp-g7x7-j25j
Do you need more information?
Contact Us
CVSS v4
Base Score:
5.1
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
ACTIVE
Vulnerable System Confidentiality
LOW
Vulnerable System Integrity
LOW
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
5.4
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality
LOW
Integrity
LOW
Availability
NONE
Weakness Type (CWE)
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE-79
EPSS
Base Score:
0.24