Search

Find a vulnerability

Search criteria

    14 vulnerabilities by mjperpinosa

    CVE-2026-14753 (GCVE-0-2026-14753)

    Vulnerability from nvd – Published: 2026-07-05 13:45 – Updated: 2026-07-06 13:26
    VLAI
    Title
    mjperpinosa stumasy Note Handler/Assignment notes authorization
    Summary
    A vulnerability was detected in mjperpinosa stumasy up to 327d1b0f2915ba79d7ef8ebb74553e987609d9be. This impacts an unknown function of the file /PHP/objects/notes of the component Note Handler/Assignment Handler. Performing a manipulation of the argument assignment_item_id results in authorization bypass. The attack can be initiated remotely. The exploit is now public and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    URL Tags
    https://vuldb.com/vuln/376342 vdb-entrytechnical-description
    https://vuldb.com/vuln/376342/cti signaturepermissions-required
    https://vuldb.com/cve/CVE-2026-14753 third-party-advisory
    https://vuldb.com/submit/849496 third-party-advisory
    https://github.com/mjperpinosa/stumasy/issues/9 exploitissue-tracking
    https://github.com/mjperpinosa/stumasy/ product
    Impacted products
    Vendor Product Version
    mjperpinosa stumasy Affected: 327d1b0f2915ba79d7ef8ebb74553e987609d9be
        cpe:2.3:a:mjperpinosa:stumasy:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    gscsd (VulDB User) VulDB CNA Team
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-14753",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-06T13:26:36.439129Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-06T13:26:44.191Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:mjperpinosa:stumasy:*:*:*:*:*:*:*:*"
              ],
              "modules": [
                "Note Handler/Assignment Handler"
              ],
              "product": "stumasy",
              "vendor": "mjperpinosa",
              "versions": [
                {
                  "status": "affected",
                  "version": "327d1b0f2915ba79d7ef8ebb74553e987609d9be"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "gscsd (VulDB User)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "VulDB CNA Team"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability was detected in mjperpinosa stumasy up to 327d1b0f2915ba79d7ef8ebb74553e987609d9be. This impacts an unknown function of the file /PHP/objects/notes of the component Note Handler/Assignment Handler. Performing a manipulation of the argument assignment_item_id results in authorization bypass. The attack can be initiated remotely. The exploit is now public and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 7.5,
                "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "Authorization Bypass",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-285",
                  "description": "Improper Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-05T13:45:08.177Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-376342 | mjperpinosa stumasy Note Handler/Assignment notes authorization",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/376342"
            },
            {
              "name": "VDB-376342 | CTI Indicators (IOB, IOC, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/376342/cti"
            },
            {
              "name": "CVE-2026-14753 | CVE Analysis and Report",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/cve/CVE-2026-14753"
            },
            {
              "name": "Submit #849496 | mjperpinosa stumasy 327d1b0f2915ba79d7ef8ebb74553e987609d9be Authorization Bypass Through User-Controlled SQL Primary Key",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/849496"
            },
            {
              "tags": [
                "exploit",
                "issue-tracking"
              ],
              "url": "https://github.com/mjperpinosa/stumasy/issues/9"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://github.com/mjperpinosa/stumasy/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-07-04T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-07-04T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-07-04T17:55:40.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "mjperpinosa stumasy Note Handler/Assignment notes authorization"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-14753",
        "datePublished": "2026-07-05T13:45:08.177Z",
        "dateReserved": "2026-07-04T15:50:27.016Z",
        "dateUpdated": "2026-07-06T13:26:44.191Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-14752 (GCVE-0-2026-14752)

    Vulnerability from nvd – Published: 2026-07-05 13:30 – Updated: 2026-07-06 13:08
    VLAI
    Title
    mjperpinosa stumasy add_into_dictionary.php add_definition cross site scripting
    Summary
    A security vulnerability has been detected in mjperpinosa stumasy up to 327d1b0f2915ba79d7ef8ebb74553e987609d9be. This affects the function add_definition of the file application/PHP/objects/notes/add_into_dictionary.php. Such manipulation of the argument reference leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The project was informed of the problem early through an issue report but has not responded yet.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    URL Tags
    https://vuldb.com/vuln/376341 vdb-entrytechnical-description
    https://vuldb.com/vuln/376341/cti signaturepermissions-required
    https://vuldb.com/cve/CVE-2026-14752 third-party-advisory
    https://vuldb.com/submit/849495 third-party-advisory
    https://github.com/mjperpinosa/stumasy/issues/8 exploitissue-tracking
    https://github.com/mjperpinosa/stumasy/ product
    Impacted products
    Vendor Product Version
    mjperpinosa stumasy Affected: 327d1b0f2915ba79d7ef8ebb74553e987609d9be
        cpe:2.3:a:mjperpinosa:stumasy:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    cnluminous (VulDB User) VulDB CNA Team
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-14752",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-06T13:08:40.411505Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-06T13:08:48.416Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:mjperpinosa:stumasy:*:*:*:*:*:*:*:*"
              ],
              "product": "stumasy",
              "vendor": "mjperpinosa",
              "versions": [
                {
                  "status": "affected",
                  "version": "327d1b0f2915ba79d7ef8ebb74553e987609d9be"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "cnluminous (VulDB User)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "VulDB CNA Team"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A security vulnerability has been detected in mjperpinosa stumasy up to 327d1b0f2915ba79d7ef8ebb74553e987609d9be. This affects the function add_definition of the file application/PHP/objects/notes/add_into_dictionary.php. Such manipulation of the argument reference leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The project was informed of the problem early through an issue report but has not responded yet."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.1,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 3.5,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 3.5,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 4,
                "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "Cross Site Scripting",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-94",
                  "description": "Code Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-05T13:30:08.679Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-376341 | mjperpinosa stumasy add_into_dictionary.php add_definition cross site scripting",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/376341"
            },
            {
              "name": "VDB-376341 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/376341/cti"
            },
            {
              "name": "CVE-2026-14752 | CVE Analysis and Report",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/cve/CVE-2026-14752"
            },
            {
              "name": "Submit #849495 | mjperpinosa stumasy 327d1b0f2915ba79d7ef8ebb74553e987609d9be Cross Site Scripting",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/849495"
            },
            {
              "tags": [
                "exploit",
                "issue-tracking"
              ],
              "url": "https://github.com/mjperpinosa/stumasy/issues/8"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://github.com/mjperpinosa/stumasy/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-07-04T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-07-04T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-07-04T17:55:37.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "mjperpinosa stumasy add_into_dictionary.php add_definition cross site scripting"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-14752",
        "datePublished": "2026-07-05T13:30:08.679Z",
        "dateReserved": "2026-07-04T15:50:24.498Z",
        "dateUpdated": "2026-07-06T13:08:48.416Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-14751 (GCVE-0-2026-14751)

    Vulnerability from nvd – Published: 2026-07-05 13:15 – Updated: 2026-07-06 16:50
    VLAI
    Title
    mjperpinosa stumasy search_scratch_data.php search_scratch_data sql injection
    Summary
    A weakness has been identified in mjperpinosa stumasy up to 327d1b0f2915ba79d7ef8ebb74553e987609d9be. The impacted element is the function Notes_controller::search_scratch_data of the file application/PHP/objects/notes/search_scratch_data.php. This manipulation of the argument field_name causes sql injection. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    URL Tags
    https://vuldb.com/vuln/376340 vdb-entrytechnical-description
    https://vuldb.com/vuln/376340/cti signaturepermissions-required
    https://vuldb.com/cve/CVE-2026-14751 third-party-advisory
    https://vuldb.com/submit/849494 third-party-advisory
    https://github.com/mjperpinosa/stumasy/issues/7 exploitissue-tracking
    https://github.com/mjperpinosa/stumasy/ product
    Impacted products
    Vendor Product Version
    mjperpinosa stumasy Affected: 327d1b0f2915ba79d7ef8ebb74553e987609d9be
        cpe:2.3:a:mjperpinosa:stumasy:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    cnluminous (VulDB User) VulDB CNA Team
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-14751",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-06T16:36:04.476759Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-06T16:50:05.587Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:mjperpinosa:stumasy:*:*:*:*:*:*:*:*"
              ],
              "product": "stumasy",
              "vendor": "mjperpinosa",
              "versions": [
                {
                  "status": "affected",
                  "version": "327d1b0f2915ba79d7ef8ebb74553e987609d9be"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "cnluminous (VulDB User)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "VulDB CNA Team"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A weakness has been identified in mjperpinosa stumasy up to 327d1b0f2915ba79d7ef8ebb74553e987609d9be. The impacted element is the function Notes_controller::search_scratch_data of the file application/PHP/objects/notes/search_scratch_data.php. This manipulation of the argument field_name causes sql injection. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 6.5,
                "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "SQL Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-74",
                  "description": "Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-05T13:15:08.543Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-376340 | mjperpinosa stumasy search_scratch_data.php search_scratch_data sql injection",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/376340"
            },
            {
              "name": "VDB-376340 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/376340/cti"
            },
            {
              "name": "CVE-2026-14751 | CVE Analysis and Report",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/cve/CVE-2026-14751"
            },
            {
              "name": "Submit #849494 | mjperpinosa stumasy 327d1b0f2915ba79d7ef8ebb74553e987609d9be SQL Injection",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/849494"
            },
            {
              "tags": [
                "exploit",
                "issue-tracking"
              ],
              "url": "https://github.com/mjperpinosa/stumasy/issues/7"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://github.com/mjperpinosa/stumasy/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-07-04T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-07-04T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-07-04T17:55:35.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "mjperpinosa stumasy search_scratch_data.php search_scratch_data sql injection"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-14751",
        "datePublished": "2026-07-05T13:15:08.543Z",
        "dateReserved": "2026-07-04T15:50:22.120Z",
        "dateUpdated": "2026-07-06T16:50:05.587Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-14750 (GCVE-0-2026-14750)

    Vulnerability from nvd – Published: 2026-07-05 13:00 – Updated: 2026-07-07 02:50
    VLAI
    Title
    mjperpinosa stumasy accessing_dictionary_authorization.php accessing_dictionary_authorization sql injection
    Summary
    A security flaw has been discovered in mjperpinosa stumasy up to 327d1b0f2915ba79d7ef8ebb74553e987609d9be. The affected element is the function Notes_controller::accessing_dictionary_authorization of the file application/PHP/objects/notes/accessing_dictionary_authorization.php. The manipulation of the argument Password results in sql injection. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The project was informed of the problem early through an issue report but has not responded yet.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    URL Tags
    https://vuldb.com/vuln/376339 vdb-entrytechnical-description
    https://vuldb.com/vuln/376339/cti signaturepermissions-required
    https://vuldb.com/cve/CVE-2026-14750 third-party-advisory
    https://vuldb.com/submit/849483 third-party-advisory
    https://github.com/mjperpinosa/stumasy/issues/6 exploitissue-tracking
    https://github.com/mjperpinosa/stumasy/ product
    Impacted products
    Vendor Product Version
    mjperpinosa stumasy Affected: 327d1b0f2915ba79d7ef8ebb74553e987609d9be
        cpe:2.3:a:mjperpinosa:stumasy:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    gscsd (VulDB User) VulDB CNA Team
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-14750",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-07T02:50:03.909165Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-07T02:50:24.885Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:mjperpinosa:stumasy:*:*:*:*:*:*:*:*"
              ],
              "product": "stumasy",
              "vendor": "mjperpinosa",
              "versions": [
                {
                  "status": "affected",
                  "version": "327d1b0f2915ba79d7ef8ebb74553e987609d9be"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "gscsd (VulDB User)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "VulDB CNA Team"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A security flaw has been discovered in mjperpinosa stumasy up to 327d1b0f2915ba79d7ef8ebb74553e987609d9be. The affected element is the function Notes_controller::accessing_dictionary_authorization of the file application/PHP/objects/notes/accessing_dictionary_authorization.php. The manipulation of the argument Password results in sql injection. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The project was informed of the problem early through an issue report but has not responded yet."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 7.5,
                "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "SQL Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-74",
                  "description": "Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-05T13:00:10.692Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-376339 | mjperpinosa stumasy accessing_dictionary_authorization.php accessing_dictionary_authorization sql injection",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/376339"
            },
            {
              "name": "VDB-376339 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/376339/cti"
            },
            {
              "name": "CVE-2026-14750 | CVE Analysis and Report",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/cve/CVE-2026-14750"
            },
            {
              "name": "Submit #849483 | mjperpinosa stumasy 327d1b0f2915ba79d7ef8ebb74553e987609d9be SQL Injection",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/849483"
            },
            {
              "tags": [
                "exploit",
                "issue-tracking"
              ],
              "url": "https://github.com/mjperpinosa/stumasy/issues/6"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://github.com/mjperpinosa/stumasy/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-07-04T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-07-04T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-07-04T17:55:32.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "mjperpinosa stumasy accessing_dictionary_authorization.php accessing_dictionary_authorization sql injection"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-14750",
        "datePublished": "2026-07-05T13:00:10.692Z",
        "dateReserved": "2026-07-04T15:50:19.755Z",
        "dateUpdated": "2026-07-07T02:50:24.885Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-14749 (GCVE-0-2026-14749)

    Vulnerability from nvd – Published: 2026-07-05 12:45 – Updated: 2026-07-06 18:44
    VLAI
    Title
    mjperpinosa stumasy calculate.php eval code injection
    Summary
    A vulnerability was identified in mjperpinosa stumasy up to 327d1b0f2915ba79d7ef8ebb74553e987609d9be. Impacted is the function eval of the file application/pages/imba_calculator/calculate.php. The manipulation of the argument mathematical_sentence leads to code injection. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. The project was informed of the problem early through an issue report but has not responded yet.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    URL Tags
    https://vuldb.com/vuln/376338 vdb-entrytechnical-description
    https://vuldb.com/vuln/376338/cti signaturepermissions-required
    https://vuldb.com/cve/CVE-2026-14749 third-party-advisory
    https://vuldb.com/submit/849414 third-party-advisory
    https://github.com/mjperpinosa/stumasy/issues/5 exploitissue-tracking
    https://github.com/mjperpinosa/stumasy/ product
    Impacted products
    Vendor Product Version
    mjperpinosa stumasy Affected: 327d1b0f2915ba79d7ef8ebb74553e987609d9be
        cpe:2.3:a:mjperpinosa:stumasy:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    gscsd (VulDB User) VulDB CNA Team
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-14749",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-06T18:43:51.552820Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-06T18:44:00.629Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:mjperpinosa:stumasy:*:*:*:*:*:*:*:*"
              ],
              "product": "stumasy",
              "vendor": "mjperpinosa",
              "versions": [
                {
                  "status": "affected",
                  "version": "327d1b0f2915ba79d7ef8ebb74553e987609d9be"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "gscsd (VulDB User)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "VulDB CNA Team"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability was identified in mjperpinosa stumasy up to 327d1b0f2915ba79d7ef8ebb74553e987609d9be. Impacted is the function eval of the file application/pages/imba_calculator/calculate.php. The manipulation of the argument mathematical_sentence leads to code injection. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. The project was informed of the problem early through an issue report but has not responded yet."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 7.5,
                "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-94",
                  "description": "Code Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-74",
                  "description": "Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-05T12:45:07.950Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-376338 | mjperpinosa stumasy calculate.php eval code injection",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/376338"
            },
            {
              "name": "VDB-376338 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/376338/cti"
            },
            {
              "name": "CVE-2026-14749 | CVE Analysis and Report",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/cve/CVE-2026-14749"
            },
            {
              "name": "Submit #849414 | mjperpinosa stumasy 327d1b0f2915ba79d7ef8ebb74553e987609d9be Code Injection",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/849414"
            },
            {
              "tags": [
                "exploit",
                "issue-tracking"
              ],
              "url": "https://github.com/mjperpinosa/stumasy/issues/5"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://github.com/mjperpinosa/stumasy/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-07-04T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-07-04T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-07-04T17:46:19.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "mjperpinosa stumasy calculate.php eval code injection"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-14749",
        "datePublished": "2026-07-05T12:45:07.950Z",
        "dateReserved": "2026-07-04T15:41:16.167Z",
        "dateUpdated": "2026-07-06T18:44:00.629Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-10807 (GCVE-0-2026-10807)

    Vulnerability from nvd – Published: 2026-06-04 12:30 – Updated: 2026-06-04 13:48
    VLAI
    Title
    mjperpinosa stumasy change_profile_image.php unrestricted upload
    Summary
    A vulnerability was determined in mjperpinosa stumasy. The impacted element is an unknown function of the file application/PHP/objects/profiles/change_profile_image.php. Executing a manipulation of the argument pr_profile_image can lead to unrestricted upload. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. The project was informed of the problem early through an issue report but has not responded yet.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    URL Tags
    https://vuldb.com/vuln/368255 vdb-entrytechnical-description
    https://vuldb.com/vuln/368255/cti signaturepermissions-required
    https://vuldb.com/cve/CVE-2026-10807 third-party-advisory
    https://vuldb.com/submit/831551 third-party-advisory
    https://github.com/mjperpinosa/stumasy/issues/3 exploitissue-tracking
    https://github.com/mjperpinosa/stumasy/ product
    Impacted products
    Vendor Product Version
    mjperpinosa stumasy Affected: 25d695901fbb586bf184b8ba73456d8e5311656c
    Affected: 79c86fce86a09adc6edcbd6d56115fbff14ed538
    Affected: 327d1b0f2915ba79d7ef8ebb74553e987609d9be
        cpe:2.3:a:mjperpinosa:stumasy:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    j1nk1ng (VulDB User) VulDB CNA Team
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-10807",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-04T13:48:14.951725Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-04T13:48:22.393Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:mjperpinosa:stumasy:*:*:*:*:*:*:*:*"
              ],
              "product": "stumasy",
              "vendor": "mjperpinosa",
              "versions": [
                {
                  "status": "affected",
                  "version": "25d695901fbb586bf184b8ba73456d8e5311656c"
                },
                {
                  "status": "affected",
                  "version": "79c86fce86a09adc6edcbd6d56115fbff14ed538"
                },
                {
                  "status": "affected",
                  "version": "327d1b0f2915ba79d7ef8ebb74553e987609d9be"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "j1nk1ng (VulDB User)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "VulDB CNA Team"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability was determined in mjperpinosa stumasy. The impacted element is an unknown function of the file application/PHP/objects/profiles/change_profile_image.php. Executing a manipulation of the argument pr_profile_image can lead to unrestricted upload. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. The project was informed of the problem early through an issue report but has not responded yet."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 6.5,
                "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-434",
                  "description": "Unrestricted Upload",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "Improper Access Controls",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-04T12:30:12.057Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-368255 | mjperpinosa stumasy change_profile_image.php unrestricted upload",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/368255"
            },
            {
              "name": "VDB-368255 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/368255/cti"
            },
            {
              "name": "CVE-2026-10807 | CVE Analysis and Report",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/cve/CVE-2026-10807"
            },
            {
              "name": "Submit #831551 | mjperpinosa stumasy 1.0 RCE vulnerability",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/831551"
            },
            {
              "tags": [
                "exploit",
                "issue-tracking"
              ],
              "url": "https://github.com/mjperpinosa/stumasy/issues/3"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://github.com/mjperpinosa/stumasy/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-06-04T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-06-04T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-06-04T07:19:55.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "mjperpinosa stumasy change_profile_image.php unrestricted upload"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-10807",
        "datePublished": "2026-06-04T12:30:12.057Z",
        "dateReserved": "2026-06-04T05:14:46.616Z",
        "dateUpdated": "2026-06-04T13:48:22.393Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-10806 (GCVE-0-2026-10806)

    Vulnerability from nvd – Published: 2026-06-04 12:15 – Updated: 2026-06-04 15:06
    VLAI
    Title
    mjperpinosa stumasy add_post.php unrestricted upload
    Summary
    A vulnerability was found in mjperpinosa stumasy. The affected element is an unknown function of the file application/PHP/objects/updates/add_post.php. Performing a manipulation of the argument up_file_to_post results in unrestricted upload. The attack may be initiated remotely. The exploit has been made public and could be used. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The project was informed of the problem early through an issue report but has not responded yet.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    URL Tags
    https://vuldb.com/vuln/368254 vdb-entrytechnical-description
    https://vuldb.com/vuln/368254/cti signaturepermissions-required
    https://vuldb.com/cve/CVE-2026-10806 third-party-advisory
    https://vuldb.com/submit/831510 third-party-advisory
    https://github.com/mjperpinosa/stumasy/issues/1 exploitissue-tracking
    https://github.com/mjperpinosa/stumasy/ product
    Impacted products
    Vendor Product Version
    mjperpinosa stumasy Affected: 25d695901fbb586bf184b8ba73456d8e5311656c
    Affected: 79c86fce86a09adc6edcbd6d56115fbff14ed538
    Affected: 327d1b0f2915ba79d7ef8ebb74553e987609d9be
        cpe:2.3:a:mjperpinosa:stumasy:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    cnluminous (VulDB User) VulDB CNA Team
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-10806",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-04T15:03:00.695671Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-04T15:06:43.546Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:mjperpinosa:stumasy:*:*:*:*:*:*:*:*"
              ],
              "product": "stumasy",
              "vendor": "mjperpinosa",
              "versions": [
                {
                  "status": "affected",
                  "version": "25d695901fbb586bf184b8ba73456d8e5311656c"
                },
                {
                  "status": "affected",
                  "version": "79c86fce86a09adc6edcbd6d56115fbff14ed538"
                },
                {
                  "status": "affected",
                  "version": "327d1b0f2915ba79d7ef8ebb74553e987609d9be"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "cnluminous (VulDB User)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "VulDB CNA Team"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability was found in mjperpinosa stumasy. The affected element is an unknown function of the file application/PHP/objects/updates/add_post.php. Performing a manipulation of the argument up_file_to_post results in unrestricted upload. The attack may be initiated remotely. The exploit has been made public and could be used. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The project was informed of the problem early through an issue report but has not responded yet."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 6.5,
                "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-434",
                  "description": "Unrestricted Upload",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "Improper Access Controls",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-04T12:15:10.177Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-368254 | mjperpinosa stumasy add_post.php unrestricted upload",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/368254"
            },
            {
              "name": "VDB-368254 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/368254/cti"
            },
            {
              "name": "CVE-2026-10806 | CVE Analysis and Report",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/cve/CVE-2026-10806"
            },
            {
              "name": "Submit #831510 | mjperpinosa stumasy 1.0 RCE vulnerability",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/831510"
            },
            {
              "tags": [
                "exploit",
                "issue-tracking"
              ],
              "url": "https://github.com/mjperpinosa/stumasy/issues/1"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://github.com/mjperpinosa/stumasy/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-06-04T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-06-04T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-06-04T07:19:48.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "mjperpinosa stumasy add_post.php unrestricted upload"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-10806",
        "datePublished": "2026-06-04T12:15:10.177Z",
        "dateReserved": "2026-06-04T05:14:43.960Z",
        "dateUpdated": "2026-06-04T15:06:43.546Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-14753 (GCVE-0-2026-14753)

    Vulnerability from cvelistv5 – Published: 2026-07-05 13:45 – Updated: 2026-07-06 13:26
    VLAI
    Title
    mjperpinosa stumasy Note Handler/Assignment notes authorization
    Summary
    A vulnerability was detected in mjperpinosa stumasy up to 327d1b0f2915ba79d7ef8ebb74553e987609d9be. This impacts an unknown function of the file /PHP/objects/notes of the component Note Handler/Assignment Handler. Performing a manipulation of the argument assignment_item_id results in authorization bypass. The attack can be initiated remotely. The exploit is now public and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    URL Tags
    https://vuldb.com/vuln/376342 vdb-entrytechnical-description
    https://vuldb.com/vuln/376342/cti signaturepermissions-required
    https://vuldb.com/cve/CVE-2026-14753 third-party-advisory
    https://vuldb.com/submit/849496 third-party-advisory
    https://github.com/mjperpinosa/stumasy/issues/9 exploitissue-tracking
    https://github.com/mjperpinosa/stumasy/ product
    Impacted products
    Vendor Product Version
    mjperpinosa stumasy Affected: 327d1b0f2915ba79d7ef8ebb74553e987609d9be
        cpe:2.3:a:mjperpinosa:stumasy:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    gscsd (VulDB User) VulDB CNA Team
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-14753",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-06T13:26:36.439129Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-06T13:26:44.191Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:mjperpinosa:stumasy:*:*:*:*:*:*:*:*"
              ],
              "modules": [
                "Note Handler/Assignment Handler"
              ],
              "product": "stumasy",
              "vendor": "mjperpinosa",
              "versions": [
                {
                  "status": "affected",
                  "version": "327d1b0f2915ba79d7ef8ebb74553e987609d9be"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "gscsd (VulDB User)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "VulDB CNA Team"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability was detected in mjperpinosa stumasy up to 327d1b0f2915ba79d7ef8ebb74553e987609d9be. This impacts an unknown function of the file /PHP/objects/notes of the component Note Handler/Assignment Handler. Performing a manipulation of the argument assignment_item_id results in authorization bypass. The attack can be initiated remotely. The exploit is now public and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 7.5,
                "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-639",
                  "description": "Authorization Bypass",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-285",
                  "description": "Improper Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-05T13:45:08.177Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-376342 | mjperpinosa stumasy Note Handler/Assignment notes authorization",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/376342"
            },
            {
              "name": "VDB-376342 | CTI Indicators (IOB, IOC, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/376342/cti"
            },
            {
              "name": "CVE-2026-14753 | CVE Analysis and Report",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/cve/CVE-2026-14753"
            },
            {
              "name": "Submit #849496 | mjperpinosa stumasy 327d1b0f2915ba79d7ef8ebb74553e987609d9be Authorization Bypass Through User-Controlled SQL Primary Key",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/849496"
            },
            {
              "tags": [
                "exploit",
                "issue-tracking"
              ],
              "url": "https://github.com/mjperpinosa/stumasy/issues/9"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://github.com/mjperpinosa/stumasy/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-07-04T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-07-04T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-07-04T17:55:40.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "mjperpinosa stumasy Note Handler/Assignment notes authorization"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-14753",
        "datePublished": "2026-07-05T13:45:08.177Z",
        "dateReserved": "2026-07-04T15:50:27.016Z",
        "dateUpdated": "2026-07-06T13:26:44.191Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-14752 (GCVE-0-2026-14752)

    Vulnerability from cvelistv5 – Published: 2026-07-05 13:30 – Updated: 2026-07-06 13:08
    VLAI
    Title
    mjperpinosa stumasy add_into_dictionary.php add_definition cross site scripting
    Summary
    A security vulnerability has been detected in mjperpinosa stumasy up to 327d1b0f2915ba79d7ef8ebb74553e987609d9be. This affects the function add_definition of the file application/PHP/objects/notes/add_into_dictionary.php. Such manipulation of the argument reference leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The project was informed of the problem early through an issue report but has not responded yet.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    URL Tags
    https://vuldb.com/vuln/376341 vdb-entrytechnical-description
    https://vuldb.com/vuln/376341/cti signaturepermissions-required
    https://vuldb.com/cve/CVE-2026-14752 third-party-advisory
    https://vuldb.com/submit/849495 third-party-advisory
    https://github.com/mjperpinosa/stumasy/issues/8 exploitissue-tracking
    https://github.com/mjperpinosa/stumasy/ product
    Impacted products
    Vendor Product Version
    mjperpinosa stumasy Affected: 327d1b0f2915ba79d7ef8ebb74553e987609d9be
        cpe:2.3:a:mjperpinosa:stumasy:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    cnluminous (VulDB User) VulDB CNA Team
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-14752",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-06T13:08:40.411505Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-06T13:08:48.416Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:mjperpinosa:stumasy:*:*:*:*:*:*:*:*"
              ],
              "product": "stumasy",
              "vendor": "mjperpinosa",
              "versions": [
                {
                  "status": "affected",
                  "version": "327d1b0f2915ba79d7ef8ebb74553e987609d9be"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "cnluminous (VulDB User)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "VulDB CNA Team"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A security vulnerability has been detected in mjperpinosa stumasy up to 327d1b0f2915ba79d7ef8ebb74553e987609d9be. This affects the function add_definition of the file application/PHP/objects/notes/add_into_dictionary.php. Such manipulation of the argument reference leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The project was informed of the problem early through an issue report but has not responded yet."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.1,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 3.5,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 3.5,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 4,
                "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "Cross Site Scripting",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-94",
                  "description": "Code Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-05T13:30:08.679Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-376341 | mjperpinosa stumasy add_into_dictionary.php add_definition cross site scripting",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/376341"
            },
            {
              "name": "VDB-376341 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/376341/cti"
            },
            {
              "name": "CVE-2026-14752 | CVE Analysis and Report",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/cve/CVE-2026-14752"
            },
            {
              "name": "Submit #849495 | mjperpinosa stumasy 327d1b0f2915ba79d7ef8ebb74553e987609d9be Cross Site Scripting",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/849495"
            },
            {
              "tags": [
                "exploit",
                "issue-tracking"
              ],
              "url": "https://github.com/mjperpinosa/stumasy/issues/8"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://github.com/mjperpinosa/stumasy/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-07-04T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-07-04T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-07-04T17:55:37.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "mjperpinosa stumasy add_into_dictionary.php add_definition cross site scripting"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-14752",
        "datePublished": "2026-07-05T13:30:08.679Z",
        "dateReserved": "2026-07-04T15:50:24.498Z",
        "dateUpdated": "2026-07-06T13:08:48.416Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-14751 (GCVE-0-2026-14751)

    Vulnerability from cvelistv5 – Published: 2026-07-05 13:15 – Updated: 2026-07-06 16:50
    VLAI
    Title
    mjperpinosa stumasy search_scratch_data.php search_scratch_data sql injection
    Summary
    A weakness has been identified in mjperpinosa stumasy up to 327d1b0f2915ba79d7ef8ebb74553e987609d9be. The impacted element is the function Notes_controller::search_scratch_data of the file application/PHP/objects/notes/search_scratch_data.php. This manipulation of the argument field_name causes sql injection. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    URL Tags
    https://vuldb.com/vuln/376340 vdb-entrytechnical-description
    https://vuldb.com/vuln/376340/cti signaturepermissions-required
    https://vuldb.com/cve/CVE-2026-14751 third-party-advisory
    https://vuldb.com/submit/849494 third-party-advisory
    https://github.com/mjperpinosa/stumasy/issues/7 exploitissue-tracking
    https://github.com/mjperpinosa/stumasy/ product
    Impacted products
    Vendor Product Version
    mjperpinosa stumasy Affected: 327d1b0f2915ba79d7ef8ebb74553e987609d9be
        cpe:2.3:a:mjperpinosa:stumasy:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    cnluminous (VulDB User) VulDB CNA Team
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-14751",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-06T16:36:04.476759Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-06T16:50:05.587Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:mjperpinosa:stumasy:*:*:*:*:*:*:*:*"
              ],
              "product": "stumasy",
              "vendor": "mjperpinosa",
              "versions": [
                {
                  "status": "affected",
                  "version": "327d1b0f2915ba79d7ef8ebb74553e987609d9be"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "cnluminous (VulDB User)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "VulDB CNA Team"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A weakness has been identified in mjperpinosa stumasy up to 327d1b0f2915ba79d7ef8ebb74553e987609d9be. The impacted element is the function Notes_controller::search_scratch_data of the file application/PHP/objects/notes/search_scratch_data.php. This manipulation of the argument field_name causes sql injection. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 6.5,
                "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "SQL Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-74",
                  "description": "Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-05T13:15:08.543Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-376340 | mjperpinosa stumasy search_scratch_data.php search_scratch_data sql injection",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/376340"
            },
            {
              "name": "VDB-376340 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/376340/cti"
            },
            {
              "name": "CVE-2026-14751 | CVE Analysis and Report",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/cve/CVE-2026-14751"
            },
            {
              "name": "Submit #849494 | mjperpinosa stumasy 327d1b0f2915ba79d7ef8ebb74553e987609d9be SQL Injection",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/849494"
            },
            {
              "tags": [
                "exploit",
                "issue-tracking"
              ],
              "url": "https://github.com/mjperpinosa/stumasy/issues/7"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://github.com/mjperpinosa/stumasy/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-07-04T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-07-04T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-07-04T17:55:35.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "mjperpinosa stumasy search_scratch_data.php search_scratch_data sql injection"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-14751",
        "datePublished": "2026-07-05T13:15:08.543Z",
        "dateReserved": "2026-07-04T15:50:22.120Z",
        "dateUpdated": "2026-07-06T16:50:05.587Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-14750 (GCVE-0-2026-14750)

    Vulnerability from cvelistv5 – Published: 2026-07-05 13:00 – Updated: 2026-07-07 02:50
    VLAI
    Title
    mjperpinosa stumasy accessing_dictionary_authorization.php accessing_dictionary_authorization sql injection
    Summary
    A security flaw has been discovered in mjperpinosa stumasy up to 327d1b0f2915ba79d7ef8ebb74553e987609d9be. The affected element is the function Notes_controller::accessing_dictionary_authorization of the file application/PHP/objects/notes/accessing_dictionary_authorization.php. The manipulation of the argument Password results in sql injection. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The project was informed of the problem early through an issue report but has not responded yet.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    URL Tags
    https://vuldb.com/vuln/376339 vdb-entrytechnical-description
    https://vuldb.com/vuln/376339/cti signaturepermissions-required
    https://vuldb.com/cve/CVE-2026-14750 third-party-advisory
    https://vuldb.com/submit/849483 third-party-advisory
    https://github.com/mjperpinosa/stumasy/issues/6 exploitissue-tracking
    https://github.com/mjperpinosa/stumasy/ product
    Impacted products
    Vendor Product Version
    mjperpinosa stumasy Affected: 327d1b0f2915ba79d7ef8ebb74553e987609d9be
        cpe:2.3:a:mjperpinosa:stumasy:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    gscsd (VulDB User) VulDB CNA Team
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-14750",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-07T02:50:03.909165Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-07T02:50:24.885Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:mjperpinosa:stumasy:*:*:*:*:*:*:*:*"
              ],
              "product": "stumasy",
              "vendor": "mjperpinosa",
              "versions": [
                {
                  "status": "affected",
                  "version": "327d1b0f2915ba79d7ef8ebb74553e987609d9be"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "gscsd (VulDB User)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "VulDB CNA Team"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A security flaw has been discovered in mjperpinosa stumasy up to 327d1b0f2915ba79d7ef8ebb74553e987609d9be. The affected element is the function Notes_controller::accessing_dictionary_authorization of the file application/PHP/objects/notes/accessing_dictionary_authorization.php. The manipulation of the argument Password results in sql injection. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The project was informed of the problem early through an issue report but has not responded yet."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 7.5,
                "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "SQL Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-74",
                  "description": "Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-05T13:00:10.692Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-376339 | mjperpinosa stumasy accessing_dictionary_authorization.php accessing_dictionary_authorization sql injection",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/376339"
            },
            {
              "name": "VDB-376339 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/376339/cti"
            },
            {
              "name": "CVE-2026-14750 | CVE Analysis and Report",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/cve/CVE-2026-14750"
            },
            {
              "name": "Submit #849483 | mjperpinosa stumasy 327d1b0f2915ba79d7ef8ebb74553e987609d9be SQL Injection",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/849483"
            },
            {
              "tags": [
                "exploit",
                "issue-tracking"
              ],
              "url": "https://github.com/mjperpinosa/stumasy/issues/6"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://github.com/mjperpinosa/stumasy/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-07-04T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-07-04T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-07-04T17:55:32.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "mjperpinosa stumasy accessing_dictionary_authorization.php accessing_dictionary_authorization sql injection"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-14750",
        "datePublished": "2026-07-05T13:00:10.692Z",
        "dateReserved": "2026-07-04T15:50:19.755Z",
        "dateUpdated": "2026-07-07T02:50:24.885Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-14749 (GCVE-0-2026-14749)

    Vulnerability from cvelistv5 – Published: 2026-07-05 12:45 – Updated: 2026-07-06 18:44
    VLAI
    Title
    mjperpinosa stumasy calculate.php eval code injection
    Summary
    A vulnerability was identified in mjperpinosa stumasy up to 327d1b0f2915ba79d7ef8ebb74553e987609d9be. Impacted is the function eval of the file application/pages/imba_calculator/calculate.php. The manipulation of the argument mathematical_sentence leads to code injection. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. The project was informed of the problem early through an issue report but has not responded yet.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    URL Tags
    https://vuldb.com/vuln/376338 vdb-entrytechnical-description
    https://vuldb.com/vuln/376338/cti signaturepermissions-required
    https://vuldb.com/cve/CVE-2026-14749 third-party-advisory
    https://vuldb.com/submit/849414 third-party-advisory
    https://github.com/mjperpinosa/stumasy/issues/5 exploitissue-tracking
    https://github.com/mjperpinosa/stumasy/ product
    Impacted products
    Vendor Product Version
    mjperpinosa stumasy Affected: 327d1b0f2915ba79d7ef8ebb74553e987609d9be
        cpe:2.3:a:mjperpinosa:stumasy:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    gscsd (VulDB User) VulDB CNA Team
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-14749",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-06T18:43:51.552820Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-06T18:44:00.629Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:mjperpinosa:stumasy:*:*:*:*:*:*:*:*"
              ],
              "product": "stumasy",
              "vendor": "mjperpinosa",
              "versions": [
                {
                  "status": "affected",
                  "version": "327d1b0f2915ba79d7ef8ebb74553e987609d9be"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "gscsd (VulDB User)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "VulDB CNA Team"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability was identified in mjperpinosa stumasy up to 327d1b0f2915ba79d7ef8ebb74553e987609d9be. Impacted is the function eval of the file application/pages/imba_calculator/calculate.php. The manipulation of the argument mathematical_sentence leads to code injection. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. The project was informed of the problem early through an issue report but has not responded yet."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 7.5,
                "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-94",
                  "description": "Code Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-74",
                  "description": "Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-05T12:45:07.950Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-376338 | mjperpinosa stumasy calculate.php eval code injection",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/376338"
            },
            {
              "name": "VDB-376338 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/376338/cti"
            },
            {
              "name": "CVE-2026-14749 | CVE Analysis and Report",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/cve/CVE-2026-14749"
            },
            {
              "name": "Submit #849414 | mjperpinosa stumasy 327d1b0f2915ba79d7ef8ebb74553e987609d9be Code Injection",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/849414"
            },
            {
              "tags": [
                "exploit",
                "issue-tracking"
              ],
              "url": "https://github.com/mjperpinosa/stumasy/issues/5"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://github.com/mjperpinosa/stumasy/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-07-04T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-07-04T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-07-04T17:46:19.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "mjperpinosa stumasy calculate.php eval code injection"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-14749",
        "datePublished": "2026-07-05T12:45:07.950Z",
        "dateReserved": "2026-07-04T15:41:16.167Z",
        "dateUpdated": "2026-07-06T18:44:00.629Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-10807 (GCVE-0-2026-10807)

    Vulnerability from cvelistv5 – Published: 2026-06-04 12:30 – Updated: 2026-06-04 13:48
    VLAI
    Title
    mjperpinosa stumasy change_profile_image.php unrestricted upload
    Summary
    A vulnerability was determined in mjperpinosa stumasy. The impacted element is an unknown function of the file application/PHP/objects/profiles/change_profile_image.php. Executing a manipulation of the argument pr_profile_image can lead to unrestricted upload. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. The project was informed of the problem early through an issue report but has not responded yet.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    URL Tags
    https://vuldb.com/vuln/368255 vdb-entrytechnical-description
    https://vuldb.com/vuln/368255/cti signaturepermissions-required
    https://vuldb.com/cve/CVE-2026-10807 third-party-advisory
    https://vuldb.com/submit/831551 third-party-advisory
    https://github.com/mjperpinosa/stumasy/issues/3 exploitissue-tracking
    https://github.com/mjperpinosa/stumasy/ product
    Impacted products
    Vendor Product Version
    mjperpinosa stumasy Affected: 25d695901fbb586bf184b8ba73456d8e5311656c
    Affected: 79c86fce86a09adc6edcbd6d56115fbff14ed538
    Affected: 327d1b0f2915ba79d7ef8ebb74553e987609d9be
        cpe:2.3:a:mjperpinosa:stumasy:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    j1nk1ng (VulDB User) VulDB CNA Team
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-10807",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-04T13:48:14.951725Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-04T13:48:22.393Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:mjperpinosa:stumasy:*:*:*:*:*:*:*:*"
              ],
              "product": "stumasy",
              "vendor": "mjperpinosa",
              "versions": [
                {
                  "status": "affected",
                  "version": "25d695901fbb586bf184b8ba73456d8e5311656c"
                },
                {
                  "status": "affected",
                  "version": "79c86fce86a09adc6edcbd6d56115fbff14ed538"
                },
                {
                  "status": "affected",
                  "version": "327d1b0f2915ba79d7ef8ebb74553e987609d9be"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "j1nk1ng (VulDB User)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "VulDB CNA Team"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability was determined in mjperpinosa stumasy. The impacted element is an unknown function of the file application/PHP/objects/profiles/change_profile_image.php. Executing a manipulation of the argument pr_profile_image can lead to unrestricted upload. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. The project was informed of the problem early through an issue report but has not responded yet."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 6.5,
                "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-434",
                  "description": "Unrestricted Upload",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "Improper Access Controls",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-04T12:30:12.057Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-368255 | mjperpinosa stumasy change_profile_image.php unrestricted upload",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/368255"
            },
            {
              "name": "VDB-368255 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/368255/cti"
            },
            {
              "name": "CVE-2026-10807 | CVE Analysis and Report",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/cve/CVE-2026-10807"
            },
            {
              "name": "Submit #831551 | mjperpinosa stumasy 1.0 RCE vulnerability",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/831551"
            },
            {
              "tags": [
                "exploit",
                "issue-tracking"
              ],
              "url": "https://github.com/mjperpinosa/stumasy/issues/3"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://github.com/mjperpinosa/stumasy/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-06-04T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-06-04T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-06-04T07:19:55.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "mjperpinosa stumasy change_profile_image.php unrestricted upload"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-10807",
        "datePublished": "2026-06-04T12:30:12.057Z",
        "dateReserved": "2026-06-04T05:14:46.616Z",
        "dateUpdated": "2026-06-04T13:48:22.393Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-10806 (GCVE-0-2026-10806)

    Vulnerability from cvelistv5 – Published: 2026-06-04 12:15 – Updated: 2026-06-04 15:06
    VLAI
    Title
    mjperpinosa stumasy add_post.php unrestricted upload
    Summary
    A vulnerability was found in mjperpinosa stumasy. The affected element is an unknown function of the file application/PHP/objects/updates/add_post.php. Performing a manipulation of the argument up_file_to_post results in unrestricted upload. The attack may be initiated remotely. The exploit has been made public and could be used. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The project was informed of the problem early through an issue report but has not responded yet.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    URL Tags
    https://vuldb.com/vuln/368254 vdb-entrytechnical-description
    https://vuldb.com/vuln/368254/cti signaturepermissions-required
    https://vuldb.com/cve/CVE-2026-10806 third-party-advisory
    https://vuldb.com/submit/831510 third-party-advisory
    https://github.com/mjperpinosa/stumasy/issues/1 exploitissue-tracking
    https://github.com/mjperpinosa/stumasy/ product
    Impacted products
    Vendor Product Version
    mjperpinosa stumasy Affected: 25d695901fbb586bf184b8ba73456d8e5311656c
    Affected: 79c86fce86a09adc6edcbd6d56115fbff14ed538
    Affected: 327d1b0f2915ba79d7ef8ebb74553e987609d9be
        cpe:2.3:a:mjperpinosa:stumasy:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    cnluminous (VulDB User) VulDB CNA Team
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-10806",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-06-04T15:03:00.695671Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-06-04T15:06:43.546Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:mjperpinosa:stumasy:*:*:*:*:*:*:*:*"
              ],
              "product": "stumasy",
              "vendor": "mjperpinosa",
              "versions": [
                {
                  "status": "affected",
                  "version": "25d695901fbb586bf184b8ba73456d8e5311656c"
                },
                {
                  "status": "affected",
                  "version": "79c86fce86a09adc6edcbd6d56115fbff14ed538"
                },
                {
                  "status": "affected",
                  "version": "327d1b0f2915ba79d7ef8ebb74553e987609d9be"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "cnluminous (VulDB User)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "VulDB CNA Team"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability was found in mjperpinosa stumasy. The affected element is an unknown function of the file application/PHP/objects/updates/add_post.php. Performing a manipulation of the argument up_file_to_post results in unrestricted upload. The attack may be initiated remotely. The exploit has been made public and could be used. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The project was informed of the problem early through an issue report but has not responded yet."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 6.5,
                "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-434",
                  "description": "Unrestricted Upload",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "Improper Access Controls",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-06-04T12:15:10.177Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-368254 | mjperpinosa stumasy add_post.php unrestricted upload",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/368254"
            },
            {
              "name": "VDB-368254 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/368254/cti"
            },
            {
              "name": "CVE-2026-10806 | CVE Analysis and Report",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/cve/CVE-2026-10806"
            },
            {
              "name": "Submit #831510 | mjperpinosa stumasy 1.0 RCE vulnerability",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/831510"
            },
            {
              "tags": [
                "exploit",
                "issue-tracking"
              ],
              "url": "https://github.com/mjperpinosa/stumasy/issues/1"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://github.com/mjperpinosa/stumasy/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-06-04T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-06-04T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-06-04T07:19:48.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "mjperpinosa stumasy add_post.php unrestricted upload"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-10806",
        "datePublished": "2026-06-04T12:15:10.177Z",
        "dateReserved": "2026-06-04T05:14:43.960Z",
        "dateUpdated": "2026-06-04T15:06:43.546Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }