Skip to content
Threat Feed
high advisory

CVE-2026-14749: mjperpinosa stumasy Code Injection Vulnerability

A code injection vulnerability (CVE-2026-14749) was identified in mjperpinosa stumasy, affecting versions up to commit 327d1b0f2915ba79d7ef8ebb74553e987609d9be, which allows remote attackers to execute arbitrary code by manipulating the 'mathematical_sentence' argument in the 'eval' function of 'application/pages/imba_calculator/calculate.php', with a public exploit available and no vendor response.

A critical code injection vulnerability, identified as CVE-2026-14749, exists in mjperpinosa stumasy, affecting versions up to commit 327d1b0f2915ba79d7ef8ebb74553e987609d9be. This flaw resides within the eval function in the application/pages/imba_calculator/calculate.php file, allowing remote attackers to execute arbitrary code by manipulating the mathematical_sentence argument. The vulnerability has a CVSS v3.1 Base Score of 7.3 and is publicly exploitable. While the product utilizes a rolling release strategy, preventing the enumeration of specific affected or patched versions, the vendor has not yet responded to the reported issue, leaving deployments exposed. Defenders must be aware that readily available exploits facilitate widespread targeting of unpatched instances.

Attack Chain

  1. An attacker identifies a public-facing instance of mjperpinosa stumasy.
  2. The attacker crafts an HTTP POST or GET request targeting the application/pages/imba_calculator/calculate.php endpoint on the vulnerable server.
  3. The request includes a specially crafted mathematical_sentence parameter containing arbitrary PHP code (e.g., 1+1; system('id');).
  4. The vulnerable eval function in application/pages/imba_calculator/calculate.php processes the mathematical_sentence argument without proper sanitization.
  5. The malicious PHP code embedded within the mathematical_sentence argument is executed by the server process.
  6. The server's HTTP response may reveal the output of the executed command, confirming successful code injection and providing initial access.
  7. The attacker leverages this remote code execution to download further malware, establish persistence, exfiltrate sensitive data, or perform other malicious actions on the compromised server.

Impact

The exploitation of CVE-2026-14749 grants remote attackers arbitrary code execution capabilities on affected mjperpinosa stumasy instances. Given the public availability of an exploit and the vendor's non-response to the reported issue, organizations running this software are at high risk. Successful exploitation can lead to complete system compromise, data theft, defacement, or further lateral movement within the network, potentially impacting critical business operations and exposing sensitive information to unauthorized parties.

Recommendation

  • Deploy the Detects CVE-2026-14749 Exploitation — stumasy Code Injection Sigma rule to your SIEM and tune for your environment to identify exploitation attempts.
  • Implement a Web Application Firewall (WAF) to detect and block suspicious requests containing shell metacharacters targeting application/pages/imba_calculator/calculate.php as identified by the Detects CVE-2026-14749 Exploitation — stumasy Code Injection Sigma rule.
  • Monitor web server access logs for requests to application/pages/imba_calculator/calculate.php with unusual mathematical_sentence parameter values, indicating potential code injection attempts.
  • Prioritize patching or implementing compensating controls for any mjperpinosa stumasy deployments until the vendor releases a fix for CVE-2026-14749.

Detection coverage 1

Detects CVE-2026-14749 Exploitation — stumasy Code Injection

high

Detects CVE-2026-14749 exploitation — HTTP requests targeting mjperpinosa stumasy's calculate.php with shell metacharacters in the mathematical_sentence argument, indicating a code injection attempt.

sigma tactics: execution, initial_access techniques: T1059, T1059.004, T1059.007, T1190 sources: webserver

Detection queries are available on the platform. Get full rules →