How to fix CVE-2025-69213?

Within 24 hours: Inventory all OpenSTAManager deployments and assess exposure; implement network access restrictions to the ajax_complete.php endpoint if possible. Within 7 days: Deploy WAF rules to block malicious SQL injection payloads targeting the get_sedi operation; consider disabling the get_sedi feature if not business-critical. Within 30 days: Evaluate alternative vendors or prepare for vendor patch when available; conduct database audit for unauthorized access; plan upgrade timeline once patch is released.

Is PHP affected by CVE-2025-69213?

OpenSTAManager versions 2.9.8 and prior contain a critical SQL injection vulnerability in the ajax_complete.php endpoint that could allow unauthenticated attackers to compromise database integrity and extract sensitive data.

CVE-2025-69213

HIGH

2026-02-04 [email protected]

GHSA-w995-ff8h-rppg

8.8

CVSS 3.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

PoC Detected

Feb 18, 2026 - 15:16 vuln.today

Public exploit code

CVE Published

Feb 04, 2026 - 18:16 nvd

HIGH 8.8

Description

OpenSTAManager is an open source management software for technical assistance and invoicing. In version 2.9.8 and prior, a SQL Injection vulnerability exists in the ajax_complete.php endpoint when handling the get_sedi operation. An authenticated attacker can inject malicious SQL code through the idanagrafica parameter, leading to unauthorized database access. At time of publication, no known patch exists.

Analysis

Technical Context

Classified as CWE-89 (SQL Injection). Affects the ajax_complete.php component of Openstamanager. OpenSTAManager is an open source management software for technical assistance and invoicing. In version 2.9.8 and prior, a SQL Injection vulnerability exists in the ajax_complete.php endpoint when handling the get_sedi operation. An authenticated attacker can inject malicious SQL code through the idanagrafica parameter, leading to unauthorized database access. At time of publication, no known patch exists.

Affected Products

Vendor: Devcode. Product: Openstamanager. Component: ajax_complete.php.

Remediation

Monitor vendor advisories for a patch. Use parameterized queries. Implement input validation. Restrict network access to the affected service where possible.

Priority Score

Low Medium High Critical

KEV: 0

EPSS: +0.0

CVSS: +44

POC: +20

CVE-2025-69213 vulnerability details – vuln.today

Back

CVE-2025-69213

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

CVE-2025-69213

CVSS Vector

Lifecycle Timeline

Tags

Description

Analysis

Technical Context

Affected Products

Remediation

Priority Score

Share

External POC / Exploit Code