{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/stumasy--327d1b0f2915ba79d7ef8ebb74553e987609d9be/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-14753"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["stumasy (\u003c= 327d1b0f2915ba79d7ef8ebb74553e987609d9be)"],"_cs_severities":["high"],"_cs_tags":["authorization-bypass","web-application","vulnerability","cve"],"_cs_type":"advisory","_cs_vendors":["mjperpinosa"],"content_html":"\u003cp\u003eA significant authorization bypass vulnerability, identified as CVE-2026-14753, has been discovered in mjperpinosa stumasy, affecting all versions up to and including commit \u003ccode\u003e327d1b0f2915ba79d7ef8ebb74553e987609d9be\u003c/code\u003e. This flaw exists within an unspecified function of the \u003ccode\u003e/PHP/objects/notes\u003c/code\u003e file, part of the Note Handler/Assignment Handler component. Exploitation occurs when a remote attacker manipulates the \u003ccode\u003eassignment_item_id\u003c/code\u003e argument, leading to an authorization bypass. The vulnerability is considered critical due to a publicly available exploit, enabling immediate threat to affected systems. As mjperpinosa stumasy utilizes continuous delivery with rolling releases, specific version details for affected or patched releases are not available, complicating remediation efforts. While the project was notified via an issue report, no response or fix has been released to date, making immediate detection and mitigation crucial for defenders.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a publicly accessible instance of mjperpinosa stumasy.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the \u003ccode\u003e/PHP/objects/notes\u003c/code\u003e endpoint of the application.\u003c/li\u003e\n\u003cli\u003eWithin this request, the attacker manipulates the \u003ccode\u003eassignment_item_id\u003c/code\u003e argument to an unauthorized or unintended value.\u003c/li\u003e\n\u003cli\u003eThe vulnerable stumasy application processes the malformed request through its Note Handler/Assignment Handler component.\u003c/li\u003e\n\u003cli\u003eDue to the flaw, the application's authorization checks are bypassed, granting the attacker unauthorized access.\u003c/li\u003e\n\u003cli\u003eThe attacker can now perform actions or access data that would normally require higher privileges or proper authorization within the stumasy application.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe successful exploitation of CVE-2026-14753 allows a remote attacker to bypass authorization controls within mjperpinosa stumasy. This can lead to unauthorized access to sensitive notes, assignments, or potentially other functionalities handled by the affected component. Given the nature of an authorization bypass, an attacker could escalate privileges, modify or delete data, or access information they are not permitted to see, depending on the context of the Note Handler/Assignment Handler. The availability of a public exploit significantly increases the risk of widespread attacks against unpatched or unmitigated instances, potentially compromising the integrity and confidentiality of data managed by the stumasy application.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eIf mjperpinosa releases a fix, apply it immediately to all stumasy instances due to the public exploit (CVE-2026-14753).\u003c/li\u003e\n\u003cli\u003eMonitor web server access logs for suspicious HTTP requests targeting the \u003ccode\u003e/PHP/objects/notes\u003c/code\u003e path that include unusual or malformed \u003ccode\u003eassignment_item_id\u003c/code\u003e parameters.\u003c/li\u003e\n\u003cli\u003eDeploy a Web Application Firewall (WAF) to detect and block requests that attempt to manipulate the \u003ccode\u003eassignment_item_id\u003c/code\u003e argument, looking for patterns indicative of authorization bypass attempts against the Note Handler/Assignment Handler component.\u003c/li\u003e\n\u003cli\u003eRegularly review audit logs for the stumasy application for any unauthorized actions or access patterns observed within the Note Handler/Assignment Handler component.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-05T14:21:51Z","date_published":"2026-07-05T14:21:51Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-14753-stumasy-auth-bypass/","summary":"A critical authorization bypass vulnerability (CVE-2026-14753) has been identified in mjperpinosa stumasy, affecting versions up to and including commit 327d1b0f2915ba79d7ef8ebb74553e987609d9be. This flaw, residing in an unknown function within the /PHP/objects/notes file of the Note Handler/Assignment Handler component, allows a remote attacker to bypass authorization by manipulating the 'assignment_item_id' argument. A public exploit is available, posing an immediate threat.","title":"CVE-2026-14753: mjperpinosa stumasy Authorization Bypass","url":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-14753-stumasy-auth-bypass/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-14750"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["stumasy (\u003c= 327d1b0f2915ba79d7ef8ebb74553e987609d9be)"],"_cs_severities":["high"],"_cs_tags":["sql-injection","web-application","cve","unauthenticated","remote-code-execution","data-exfiltration"],"_cs_type":"advisory","_cs_vendors":["mjperpinosa"],"content_html":"\u003cp\u003eA critical security flaw, identified as CVE-2026-14750, has been discovered in the mjperpinosa stumasy web application, affecting all versions up to and including commit 327d1b0f2915ba79d7ef8ebb74553e987609d9be. The vulnerability is a remote SQL injection residing within the \u003ccode\u003eNotes_controller::accessing_dictionary_authorization\u003c/code\u003e function, specifically through the manipulation of the 'Password' argument in the file \u003ccode\u003eapplication/PHP/objects/notes/accessing_dictionary_authorization.php\u003c/code\u003e. This flaw permits remote attackers to execute arbitrary SQL commands, potentially leading to unauthorized data access, modification, or even full compromise of the underlying database and host server. An exploit for this vulnerability has been publicly released, making affected systems highly susceptible to immediate attack. The project maintainers were notified of the issue but have not yet released a patch or responded to the report.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker identifies a publicly accessible instance of mjperpinosa stumasy.\u003c/li\u003e\n\u003cli\u003eAttacker crafts a malicious HTTP POST request targeting the \u003ccode\u003eapplication/PHP/objects/notes/accessing_dictionary_authorization.php\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe request includes a specially crafted 'Password' argument containing SQL injection payloads (e.g., \u003ccode\u003e' OR 1=1 --\u003c/code\u003e, \u003ccode\u003eUNION SELECT\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eNotes_controller::accessing_dictionary_authorization\u003c/code\u003e function processes the vulnerable 'Password' argument without proper sanitization.\u003c/li\u003e\n\u003cli\u003eThe application's backend database executes the attacker's embedded SQL query due to the injection.\u003c/li\u003e\n\u003cli\u003eDepending on the payload, the attacker bypasses authentication, extracts sensitive database contents, or manipulates existing data.\u003c/li\u003e\n\u003cli\u003eWith sufficient database privileges, the attacker may write arbitrary files (e.g., web shells) to the server, achieving remote code execution.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves unauthorized access to the application's data or the underlying server, enabling further reconnaissance, data exfiltration, or system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-14750 grants unauthenticated remote attackers the ability to execute arbitrary SQL commands against the mjperpinosa stumasy application's database. This can lead to severe consequences including, but not limited to, unauthorized access to sensitive user data, complete database compromise, modification or deletion of application data, and potential remote code execution on the server if the database user has file system privileges (e.g., using \u003ccode\u003eINTO OUTFILE\u003c/code\u003e). Given the public availability of an exploit, organizations using affected versions of stumasy face an immediate and high risk of data breaches, system defacement, or complete server takeover.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePrioritize patching mjperpinosa stumasy to a secure version as soon as one becomes available.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule provided in this brief to your SIEM to detect attempts at SQL injection against your web servers.\u003c/li\u003e\n\u003cli\u003eImplement a Web Application Firewall (WAF) to filter and block malicious SQL injection payloads targeting HTTP request parameters like \u003ccode\u003ePassword\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eReview web server access logs for the \u003ccode\u003eapplication/PHP/objects/notes/accessing_dictionary_authorization.php\u003c/code\u003e endpoint for unusual HTTP POST requests or suspicious query parameters.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-05T14:21:02Z","date_published":"2026-07-05T14:21:02Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-14750-stumasy-sqli/","summary":"A high-severity remote SQL injection vulnerability (CVE-2026-14750) exists in mjperpinosa stumasy up to commit 327d1b0f2915ba79d7ef8ebb74553e987609d9be, allowing unauthenticated attackers to manipulate the 'Password' argument in the `Notes_controller::accessing_dictionary_authorization` function to execute arbitrary SQL queries, leading to data exfiltration, manipulation, or potential server compromise via a publicly available exploit.","title":"CVE-2026-14750 — SQL Injection in mjperpinosa stumasy via Password Argument","url":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-14750-stumasy-sqli/"},{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-14749"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["stumasy (\u003c= 327d1b0f2915ba79d7ef8ebb74553e987609d9be)"],"_cs_severities":["high"],"_cs_tags":["web-vulnerability","code-injection","rce","php"],"_cs_type":"advisory","_cs_vendors":["mjperpinosa"],"content_html":"\u003cp\u003eA critical code injection vulnerability, identified as CVE-2026-14749, exists in mjperpinosa stumasy, affecting versions up to commit 327d1b0f2915ba79d7ef8ebb74553e987609d9be. This flaw resides within the \u003ccode\u003eeval\u003c/code\u003e function in the \u003ccode\u003eapplication/pages/imba_calculator/calculate.php\u003c/code\u003e file, allowing remote attackers to execute arbitrary code by manipulating the \u003ccode\u003emathematical_sentence\u003c/code\u003e argument. The vulnerability has a CVSS v3.1 Base Score of 7.3 and is publicly exploitable. While the product utilizes a rolling release strategy, preventing the enumeration of specific affected or patched versions, the vendor has not yet responded to the reported issue, leaving deployments exposed. Defenders must be aware that readily available exploits facilitate widespread targeting of unpatched instances.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a public-facing instance of mjperpinosa stumasy.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts an HTTP POST or GET request targeting the \u003ccode\u003eapplication/pages/imba_calculator/calculate.php\u003c/code\u003e endpoint on the vulnerable server.\u003c/li\u003e\n\u003cli\u003eThe request includes a specially crafted \u003ccode\u003emathematical_sentence\u003c/code\u003e parameter containing arbitrary PHP code (e.g., \u003ccode\u003e1+1; system('id');\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe vulnerable \u003ccode\u003eeval\u003c/code\u003e function in \u003ccode\u003eapplication/pages/imba_calculator/calculate.php\u003c/code\u003e processes the \u003ccode\u003emathematical_sentence\u003c/code\u003e argument without proper sanitization.\u003c/li\u003e\n\u003cli\u003eThe malicious PHP code embedded within the \u003ccode\u003emathematical_sentence\u003c/code\u003e argument is executed by the server process.\u003c/li\u003e\n\u003cli\u003eThe server's HTTP response may reveal the output of the executed command, confirming successful code injection and providing initial access.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages this remote code execution to download further malware, establish persistence, exfiltrate sensitive data, or perform other malicious actions on the compromised server.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe exploitation of CVE-2026-14749 grants remote attackers arbitrary code execution capabilities on affected mjperpinosa stumasy instances. Given the public availability of an exploit and the vendor's non-response to the reported issue, organizations running this software are at high risk. Successful exploitation can lead to complete system compromise, data theft, defacement, or further lateral movement within the network, potentially impacting critical business operations and exposing sensitive information to unauthorized parties.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the \u003ccode\u003eDetects CVE-2026-14749 Exploitation — stumasy Code Injection\u003c/code\u003e Sigma rule to your SIEM and tune for your environment to identify exploitation attempts.\u003c/li\u003e\n\u003cli\u003eImplement a Web Application Firewall (WAF) to detect and block suspicious requests containing shell metacharacters targeting \u003ccode\u003eapplication/pages/imba_calculator/calculate.php\u003c/code\u003e as identified by the \u003ccode\u003eDetects CVE-2026-14749 Exploitation — stumasy Code Injection\u003c/code\u003e Sigma rule.\u003c/li\u003e\n\u003cli\u003eMonitor web server access logs for requests to \u003ccode\u003eapplication/pages/imba_calculator/calculate.php\u003c/code\u003e with unusual \u003ccode\u003emathematical_sentence\u003c/code\u003e parameter values, indicating potential code injection attempts.\u003c/li\u003e\n\u003cli\u003ePrioritize patching or implementing compensating controls for any mjperpinosa stumasy deployments until the vendor releases a fix for CVE-2026-14749.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-05T13:22:39Z","date_published":"2026-07-05T13:22:39Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-14749-stumasy-code-injection/","summary":"A code injection vulnerability (CVE-2026-14749) was identified in mjperpinosa stumasy, affecting versions up to commit 327d1b0f2915ba79d7ef8ebb74553e987609d9be, which allows remote attackers to execute arbitrary code by manipulating the 'mathematical_sentence' argument in the 'eval' function of 'application/pages/imba_calculator/calculate.php', with a public exploit available and no vendor response.","title":"CVE-2026-14749: mjperpinosa stumasy Code Injection Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-14749-stumasy-code-injection/"}],"language":"en","title":"CraftedSignal Threat Feed - Stumasy (\u003c= 327d1b0f2915ba79d7ef8ebb74553e987609d9be)","version":"https://jsonfeed.org/version/1.1"}