Vulnerability Details CVE-2026-27012
OpenSTAManager is an open source management software for technical assistance and invoicing. In 2.9.8 and earlier, a privilege escalation and authentication bypass vulnerability in OpenSTAManager allows any attacker to arbitrarily change a user's group (idgruppo) by directly calling modules/utenti/actions.php. This can promote an existing account (e.g. agent) into the Amministratori group as well as demote any user including existing administrators.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 8.5%
CVSS Severity
CVSS v3 Score 9.8
Products affected by CVE-2026-27012
-
cpe:2.3:a:devcode:openstamanager:2.3
-
cpe:2.3:a:devcode:openstamanager:2.3.1
-
cpe:2.3:a:devcode:openstamanager:2.4
-
cpe:2.3:a:devcode:openstamanager:2.4.1
-
cpe:2.3:a:devcode:openstamanager:2.4.10
-
cpe:2.3:a:devcode:openstamanager:2.4.11
-
cpe:2.3:a:devcode:openstamanager:2.4.12
-
cpe:2.3:a:devcode:openstamanager:2.4.13
-
cpe:2.3:a:devcode:openstamanager:2.4.14
-
cpe:2.3:a:devcode:openstamanager:2.4.15
-
cpe:2.3:a:devcode:openstamanager:2.4.16
-
cpe:2.3:a:devcode:openstamanager:2.4.17
-
cpe:2.3:a:devcode:openstamanager:2.4.17.1
-
cpe:2.3:a:devcode:openstamanager:2.4.18
-
cpe:2.3:a:devcode:openstamanager:2.4.19
-
cpe:2.3:a:devcode:openstamanager:2.4.2
-
cpe:2.3:a:devcode:openstamanager:2.4.20
-
cpe:2.3:a:devcode:openstamanager:2.4.21
-
cpe:2.3:a:devcode:openstamanager:2.4.22
-
cpe:2.3:a:devcode:openstamanager:2.4.23
-
cpe:2.3:a:devcode:openstamanager:2.4.24
-
cpe:2.3:a:devcode:openstamanager:2.4.25
-
cpe:2.3:a:devcode:openstamanager:2.4.26
-
cpe:2.3:a:devcode:openstamanager:2.4.27
-
cpe:2.3:a:devcode:openstamanager:2.4.28
-
cpe:2.3:a:devcode:openstamanager:2.4.29
-
cpe:2.3:a:devcode:openstamanager:2.4.3
-
cpe:2.3:a:devcode:openstamanager:2.4.30
-
cpe:2.3:a:devcode:openstamanager:2.4.31
-
cpe:2.3:a:devcode:openstamanager:2.4.32
-
cpe:2.3:a:devcode:openstamanager:2.4.33
-
cpe:2.3:a:devcode:openstamanager:2.4.34
-
cpe:2.3:a:devcode:openstamanager:2.4.35
-
cpe:2.3:a:devcode:openstamanager:2.4.36
-
cpe:2.3:a:devcode:openstamanager:2.4.37
-
cpe:2.3:a:devcode:openstamanager:2.4.38
-
cpe:2.3:a:devcode:openstamanager:2.4.39
-
cpe:2.3:a:devcode:openstamanager:2.4.4
-
cpe:2.3:a:devcode:openstamanager:2.4.40
-
cpe:2.3:a:devcode:openstamanager:2.4.41
-
cpe:2.3:a:devcode:openstamanager:2.4.42
-
cpe:2.3:a:devcode:openstamanager:2.4.43
-
cpe:2.3:a:devcode:openstamanager:2.4.44
-
cpe:2.3:a:devcode:openstamanager:2.4.45
-
cpe:2.3:a:devcode:openstamanager:2.4.46
-
cpe:2.3:a:devcode:openstamanager:2.4.47
-
cpe:2.3:a:devcode:openstamanager:2.4.48
-
cpe:2.3:a:devcode:openstamanager:2.4.49
-
cpe:2.3:a:devcode:openstamanager:2.4.5
-
cpe:2.3:a:devcode:openstamanager:2.4.50
-
cpe:2.3:a:devcode:openstamanager:2.4.51
-
cpe:2.3:a:devcode:openstamanager:2.4.52
-
cpe:2.3:a:devcode:openstamanager:2.4.53
-
cpe:2.3:a:devcode:openstamanager:2.4.54
-
cpe:2.3:a:devcode:openstamanager:2.4.6
-
cpe:2.3:a:devcode:openstamanager:2.4.7
-
cpe:2.3:a:devcode:openstamanager:2.4.8
-
cpe:2.3:a:devcode:openstamanager:2.4.9
-
cpe:2.3:a:devcode:openstamanager:2.5
-
cpe:2.3:a:devcode:openstamanager:2.5.1
-
cpe:2.3:a:devcode:openstamanager:2.5.2
-
cpe:2.3:a:devcode:openstamanager:2.5.3
-
cpe:2.3:a:devcode:openstamanager:2.5.4
-
cpe:2.3:a:devcode:openstamanager:2.5.5
-
cpe:2.3:a:devcode:openstamanager:2.5.6
-
cpe:2.3:a:devcode:openstamanager:2.5.7
-
cpe:2.3:a:devcode:openstamanager:2.6
-
cpe:2.3:a:devcode:openstamanager:2.6.1
-
cpe:2.3:a:devcode:openstamanager:2.6.2
-
cpe:2.3:a:devcode:openstamanager:2.7
-
cpe:2.3:a:devcode:openstamanager:2.7.1
-
cpe:2.3:a:devcode:openstamanager:2.7.2
-
cpe:2.3:a:devcode:openstamanager:2.7.3
-
cpe:2.3:a:devcode:openstamanager:2.8
-
cpe:2.3:a:devcode:openstamanager:2.8.1
-
cpe:2.3:a:devcode:openstamanager:2.8.2
-
cpe:2.3:a:devcode:openstamanager:2.8.3
-
cpe:2.3:a:devcode:openstamanager:2.9
-
cpe:2.3:a:devcode:openstamanager:2.9.1
-
cpe:2.3:a:devcode:openstamanager:2.9.2
-
cpe:2.3:a:devcode:openstamanager:2.9.3
-
cpe:2.3:a:devcode:openstamanager:2.9.4
-
cpe:2.3:a:devcode:openstamanager:2.9.5
-
cpe:2.3:a:devcode:openstamanager:2.9.6
-
cpe:2.3:a:devcode:openstamanager:2.9.7
-
cpe:2.3:a:devcode:openstamanager:2.9.8