CVE-2026-14749: mjperpinosa stumasy Code Injection Vulnerability
A code injection vulnerability (CVE-2026-14749) was identified in mjperpinosa stumasy, affecting versions up to commit 327d1b0f2915ba79d7ef8ebb74553e987609d9be, which allows remote attackers to execute arbitrary code by manipulating the 'mathematical_sentence' argument in the 'eval' function of 'application/pages/imba_calculator/calculate.php', with a public exploit available and no vendor response.
A critical code injection vulnerability, identified as CVE-2026-14749, exists in mjperpinosa stumasy, affecting versions up to commit 327d1b0f2915ba79d7ef8ebb74553e987609d9be. This flaw resides within the eval function in the application/pages/imba_calculator/calculate.php file, allowing remote attackers to execute arbitrary code by manipulating the mathematical_sentence argument. The vulnerability has a CVSS v3.1 Base Score of 7.3 and is publicly exploitable. While the product utilizes a rolling release strategy, preventing the enumeration of specific affected or patched versions, the vendor has not yet responded to the reported issue, leaving deployments exposed. Defenders must be aware that readily available exploits facilitate widespread targeting of unpatched instances.
Attack Chain
- An attacker identifies a public-facing instance of mjperpinosa stumasy.
- The attacker crafts an HTTP POST or GET request targeting the
application/pages/imba_calculator/calculate.phpendpoint on the vulnerable server. - The request includes a specially crafted
mathematical_sentenceparameter containing arbitrary PHP code (e.g.,1+1; system('id');). - The vulnerable
evalfunction inapplication/pages/imba_calculator/calculate.phpprocesses themathematical_sentenceargument without proper sanitization. - The malicious PHP code embedded within the
mathematical_sentenceargument is executed by the server process. - The server's HTTP response may reveal the output of the executed command, confirming successful code injection and providing initial access.
- The attacker leverages this remote code execution to download further malware, establish persistence, exfiltrate sensitive data, or perform other malicious actions on the compromised server.
Impact
The exploitation of CVE-2026-14749 grants remote attackers arbitrary code execution capabilities on affected mjperpinosa stumasy instances. Given the public availability of an exploit and the vendor's non-response to the reported issue, organizations running this software are at high risk. Successful exploitation can lead to complete system compromise, data theft, defacement, or further lateral movement within the network, potentially impacting critical business operations and exposing sensitive information to unauthorized parties.
Recommendation
- Deploy the
Detects CVE-2026-14749 Exploitation — stumasy Code InjectionSigma rule to your SIEM and tune for your environment to identify exploitation attempts. - Implement a Web Application Firewall (WAF) to detect and block suspicious requests containing shell metacharacters targeting
application/pages/imba_calculator/calculate.phpas identified by theDetects CVE-2026-14749 Exploitation — stumasy Code InjectionSigma rule. - Monitor web server access logs for requests to
application/pages/imba_calculator/calculate.phpwith unusualmathematical_sentenceparameter values, indicating potential code injection attempts. - Prioritize patching or implementing compensating controls for any mjperpinosa stumasy deployments until the vendor releases a fix for CVE-2026-14749.
Detection coverage 1
Detects CVE-2026-14749 Exploitation — stumasy Code Injection
highDetects CVE-2026-14749 exploitation — HTTP requests targeting mjperpinosa stumasy's calculate.php with shell metacharacters in the mathematical_sentence argument, indicating a code injection attempt.
Detection queries are available on the platform. Get full rules →