2 CVEs
CRITICAL
CVSS 9.8
OpenSTAManager XSS and Authentication
2026-03-03
CVE-2026-27012
CRITICAL
POC
Privilege escalation and auth bypass in OpenSTAManager 2.9.8. PoC available.
9.8
CVSS
0.0%
EPSS
CVE-2026-24415
MEDIUM
POC
PATCH
Reflected cross-site scripting in OpenSTAManager v2.9.8 and earlier allows unauthenticated attackers to inject malicious scripts through unsanitized GET parameters in invoice/order/contract modification interfaces. Public exploit code exists for this vulnerability, affecting all users of the software. An attacker can steal session tokens, perform unauthorized actions, or compromise user browsers when victims interact with crafted malicious links.
6.1
CVSS
0.0%
EPSS