CVE-2026-29782

Published: Apr 02, 2026 Last Modified: Apr 02, 2026
ExploitDB:
Other exploit source:
Google Dorks:
HIGH 7,2
Source: [email protected]
Attack Vector: network
Attack Complexity: low
Privileges Required: high
User Interaction: none
Scope: unchanged
Confidentiality: high
Integrity: high
Availability: high

Description

AI Translation Available

OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.10.2, the oauth2.php file in OpenSTAManager is an unauthenticated endpoint ($skip_permissions = true). It loads a record from the zz_oauth2 table using the attacker-controlled GET parameter state, and during the OAuth2 configuration flow calls unserialize() on the access_token field without any class restriction. This issue has been patched in version 2.10.2.

502

Deserialization of Untrusted Data

Draft
Abstraction: Base Structure: Simple
Common Consequences
Security Scopes Affected:
Integrity Availability Other
Potential Impacts:
Modify Application Data Unexpected State Dos: Resource Consumption (Cpu) Varies By Context
Applicable Platforms
Languages: Java, JavaScript, PHP, Python, Ruby
Technologies: AI/ML, ICS/OT, Not Technology-Specific
Likelihood of Exploit: Medium
View CWE Details
https://github.com/devcode-it/openstamanager/commit/d2e38cb…
https://github.com/devcode-it/openstamanager/commit/d2e38cbdf91a831cefc0da1548e…
https://github.com/devcode-it/openstamanager/releases/tag/v…
https://github.com/devcode-it/openstamanager/releases/tag/v2.10.2
https://github.com/devcode-it/openstamanager/security/advis…
https://github.com/devcode-it/openstamanager/security/advisories/GHSA-whv5-4q2f…