CVE-2026-29782
HIGH WAF: Medium
CVSS 7.2
Published: 2026-04-02
CWE-502
OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to version 2.10.2, the oauth2.php file in OpenSTAManager is an unauthenticated endpoint ($skip_permissions = true). It loads a record from the zz_oauth2 table using the attacker-controlled GET parameter state, and during the OAuth2 configuration flow calls unserialize() on the access_token field without any class restriction. This issue has been patched in version 2.10.2.
WAF Coverage Analysis
Insecure Deserialization
Medium WAF Coverage
OWASP: A08:2021 Software and Data Integrity Failures
944xxx - Java Attack
Affected Software
| Vendor | Product | Version |
|---|---|---|
| devcode | openstamanager | up to 2.10.2 |
References
- github.com (Patch)
- github.com (Product, Release Notes)
- github.com (Exploit, Mitigation, Vendor Advisory)