Skip to content
Threat Feed
high advisory

CVE-2026-14750 — SQL Injection in mjperpinosa stumasy via Password Argument

A high-severity remote SQL injection vulnerability (CVE-2026-14750) exists in mjperpinosa stumasy up to commit 327d1b0f2915ba79d7ef8ebb74553e987609d9be, allowing unauthenticated attackers to manipulate the 'Password' argument in the `Notes_controller::accessing_dictionary_authorization` function to execute arbitrary SQL queries, leading to data exfiltration, manipulation, or potential server compromise via a publicly available exploit.

A critical security flaw, identified as CVE-2026-14750, has been discovered in the mjperpinosa stumasy web application, affecting all versions up to and including commit 327d1b0f2915ba79d7ef8ebb74553e987609d9be. The vulnerability is a remote SQL injection residing within the Notes_controller::accessing_dictionary_authorization function, specifically through the manipulation of the 'Password' argument in the file application/PHP/objects/notes/accessing_dictionary_authorization.php. This flaw permits remote attackers to execute arbitrary SQL commands, potentially leading to unauthorized data access, modification, or even full compromise of the underlying database and host server. An exploit for this vulnerability has been publicly released, making affected systems highly susceptible to immediate attack. The project maintainers were notified of the issue but have not yet released a patch or responded to the report.

Attack Chain

  1. Attacker identifies a publicly accessible instance of mjperpinosa stumasy.
  2. Attacker crafts a malicious HTTP POST request targeting the application/PHP/objects/notes/accessing_dictionary_authorization.php endpoint.
  3. The request includes a specially crafted 'Password' argument containing SQL injection payloads (e.g., ' OR 1=1 --, UNION SELECT).
  4. The Notes_controller::accessing_dictionary_authorization function processes the vulnerable 'Password' argument without proper sanitization.
  5. The application's backend database executes the attacker's embedded SQL query due to the injection.
  6. Depending on the payload, the attacker bypasses authentication, extracts sensitive database contents, or manipulates existing data.
  7. With sufficient database privileges, the attacker may write arbitrary files (e.g., web shells) to the server, achieving remote code execution.
  8. The attacker achieves unauthorized access to the application's data or the underlying server, enabling further reconnaissance, data exfiltration, or system compromise.

Impact

Successful exploitation of CVE-2026-14750 grants unauthenticated remote attackers the ability to execute arbitrary SQL commands against the mjperpinosa stumasy application's database. This can lead to severe consequences including, but not limited to, unauthorized access to sensitive user data, complete database compromise, modification or deletion of application data, and potential remote code execution on the server if the database user has file system privileges (e.g., using INTO OUTFILE). Given the public availability of an exploit, organizations using affected versions of stumasy face an immediate and high risk of data breaches, system defacement, or complete server takeover.

Recommendation

  • Prioritize patching mjperpinosa stumasy to a secure version as soon as one becomes available.
  • Deploy the Sigma rule provided in this brief to your SIEM to detect attempts at SQL injection against your web servers.
  • Implement a Web Application Firewall (WAF) to filter and block malicious SQL injection payloads targeting HTTP request parameters like Password.
  • Review web server access logs for the application/PHP/objects/notes/accessing_dictionary_authorization.php endpoint for unusual HTTP POST requests or suspicious query parameters.

Detection coverage 1

Detects CVE-2026-14750 Exploitation — mjperpinosa stumasy SQLi

high

Detects CVE-2026-14750 exploitation — suspicious SQL injection patterns in the 'Password' argument of mjperpinosa stumasy application, likely in cs-uri-query or HTTP POST body.

sigma tactics: impact, initial_access techniques: T1005, T1190, T1490 sources: webserver

Detection queries are available on the platform. Get full rules →