<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Stumasy (&lt;= 327d1b0f2915ba79d7ef8ebb74553e987609d9be) - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/stumasy--327d1b0f2915ba79d7ef8ebb74553e987609d9be/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Sun, 05 Jul 2026 14:21:51 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/stumasy--327d1b0f2915ba79d7ef8ebb74553e987609d9be/feed.xml" rel="self" type="application/rss+xml"/><item><title>CVE-2026-14753: mjperpinosa stumasy Authorization Bypass</title><link>https://feed.craftedsignal.io/briefs/2026-07-cve-2026-14753-stumasy-auth-bypass/</link><pubDate>Sun, 05 Jul 2026 14:21:51 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-cve-2026-14753-stumasy-auth-bypass/</guid><description>A critical authorization bypass vulnerability (CVE-2026-14753) has been identified in mjperpinosa stumasy, affecting versions up to and including commit 327d1b0f2915ba79d7ef8ebb74553e987609d9be. This flaw, residing in an unknown function within the /PHP/objects/notes file of the Note Handler/Assignment Handler component, allows a remote attacker to bypass authorization by manipulating the 'assignment_item_id' argument. A public exploit is available, posing an immediate threat.</description><content:encoded><![CDATA[<p>A significant authorization bypass vulnerability, identified as CVE-2026-14753, has been discovered in mjperpinosa stumasy, affecting all versions up to and including commit <code>327d1b0f2915ba79d7ef8ebb74553e987609d9be</code>. This flaw exists within an unspecified function of the <code>/PHP/objects/notes</code> file, part of the Note Handler/Assignment Handler component. Exploitation occurs when a remote attacker manipulates the <code>assignment_item_id</code> argument, leading to an authorization bypass. The vulnerability is considered critical due to a publicly available exploit, enabling immediate threat to affected systems. As mjperpinosa stumasy utilizes continuous delivery with rolling releases, specific version details for affected or patched releases are not available, complicating remediation efforts. While the project was notified via an issue report, no response or fix has been released to date, making immediate detection and mitigation crucial for defenders.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker identifies a publicly accessible instance of mjperpinosa stumasy.</li>
<li>The attacker crafts a malicious HTTP request targeting the <code>/PHP/objects/notes</code> endpoint of the application.</li>
<li>Within this request, the attacker manipulates the <code>assignment_item_id</code> argument to an unauthorized or unintended value.</li>
<li>The vulnerable stumasy application processes the malformed request through its Note Handler/Assignment Handler component.</li>
<li>Due to the flaw, the application's authorization checks are bypassed, granting the attacker unauthorized access.</li>
<li>The attacker can now perform actions or access data that would normally require higher privileges or proper authorization within the stumasy application.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The successful exploitation of CVE-2026-14753 allows a remote attacker to bypass authorization controls within mjperpinosa stumasy. This can lead to unauthorized access to sensitive notes, assignments, or potentially other functionalities handled by the affected component. Given the nature of an authorization bypass, an attacker could escalate privileges, modify or delete data, or access information they are not permitted to see, depending on the context of the Note Handler/Assignment Handler. The availability of a public exploit significantly increases the risk of widespread attacks against unpatched or unmitigated instances, potentially compromising the integrity and confidentiality of data managed by the stumasy application.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>If mjperpinosa releases a fix, apply it immediately to all stumasy instances due to the public exploit (CVE-2026-14753).</li>
<li>Monitor web server access logs for suspicious HTTP requests targeting the <code>/PHP/objects/notes</code> path that include unusual or malformed <code>assignment_item_id</code> parameters.</li>
<li>Deploy a Web Application Firewall (WAF) to detect and block requests that attempt to manipulate the <code>assignment_item_id</code> argument, looking for patterns indicative of authorization bypass attempts against the Note Handler/Assignment Handler component.</li>
<li>Regularly review audit logs for the stumasy application for any unauthorized actions or access patterns observed within the Note Handler/Assignment Handler component.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>authorization-bypass</category><category>web-application</category><category>vulnerability</category><category>cve</category></item><item><title>CVE-2026-14750 — SQL Injection in mjperpinosa stumasy via Password Argument</title><link>https://feed.craftedsignal.io/briefs/2026-07-cve-2026-14750-stumasy-sqli/</link><pubDate>Sun, 05 Jul 2026 14:21:02 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-cve-2026-14750-stumasy-sqli/</guid><description>A high-severity remote SQL injection vulnerability (CVE-2026-14750) exists in mjperpinosa stumasy up to commit 327d1b0f2915ba79d7ef8ebb74553e987609d9be, allowing unauthenticated attackers to manipulate the 'Password' argument in the `Notes_controller::accessing_dictionary_authorization` function to execute arbitrary SQL queries, leading to data exfiltration, manipulation, or potential server compromise via a publicly available exploit.</description><content:encoded><![CDATA[<p>A critical security flaw, identified as CVE-2026-14750, has been discovered in the mjperpinosa stumasy web application, affecting all versions up to and including commit 327d1b0f2915ba79d7ef8ebb74553e987609d9be. The vulnerability is a remote SQL injection residing within the <code>Notes_controller::accessing_dictionary_authorization</code> function, specifically through the manipulation of the 'Password' argument in the file <code>application/PHP/objects/notes/accessing_dictionary_authorization.php</code>. This flaw permits remote attackers to execute arbitrary SQL commands, potentially leading to unauthorized data access, modification, or even full compromise of the underlying database and host server. An exploit for this vulnerability has been publicly released, making affected systems highly susceptible to immediate attack. The project maintainers were notified of the issue but have not yet released a patch or responded to the report.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>Attacker identifies a publicly accessible instance of mjperpinosa stumasy.</li>
<li>Attacker crafts a malicious HTTP POST request targeting the <code>application/PHP/objects/notes/accessing_dictionary_authorization.php</code> endpoint.</li>
<li>The request includes a specially crafted 'Password' argument containing SQL injection payloads (e.g., <code>' OR 1=1 --</code>, <code>UNION SELECT</code>).</li>
<li>The <code>Notes_controller::accessing_dictionary_authorization</code> function processes the vulnerable 'Password' argument without proper sanitization.</li>
<li>The application's backend database executes the attacker's embedded SQL query due to the injection.</li>
<li>Depending on the payload, the attacker bypasses authentication, extracts sensitive database contents, or manipulates existing data.</li>
<li>With sufficient database privileges, the attacker may write arbitrary files (e.g., web shells) to the server, achieving remote code execution.</li>
<li>The attacker achieves unauthorized access to the application's data or the underlying server, enabling further reconnaissance, data exfiltration, or system compromise.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-14750 grants unauthenticated remote attackers the ability to execute arbitrary SQL commands against the mjperpinosa stumasy application's database. This can lead to severe consequences including, but not limited to, unauthorized access to sensitive user data, complete database compromise, modification or deletion of application data, and potential remote code execution on the server if the database user has file system privileges (e.g., using <code>INTO OUTFILE</code>). Given the public availability of an exploit, organizations using affected versions of stumasy face an immediate and high risk of data breaches, system defacement, or complete server takeover.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Prioritize patching mjperpinosa stumasy to a secure version as soon as one becomes available.</li>
<li>Deploy the Sigma rule provided in this brief to your SIEM to detect attempts at SQL injection against your web servers.</li>
<li>Implement a Web Application Firewall (WAF) to filter and block malicious SQL injection payloads targeting HTTP request parameters like <code>Password</code>.</li>
<li>Review web server access logs for the <code>application/PHP/objects/notes/accessing_dictionary_authorization.php</code> endpoint for unusual HTTP POST requests or suspicious query parameters.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>sql-injection</category><category>web-application</category><category>cve</category><category>unauthenticated</category><category>remote-code-execution</category><category>data-exfiltration</category></item><item><title>CVE-2026-14749: mjperpinosa stumasy Code Injection Vulnerability</title><link>https://feed.craftedsignal.io/briefs/2026-07-cve-2026-14749-stumasy-code-injection/</link><pubDate>Sun, 05 Jul 2026 13:22:39 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-cve-2026-14749-stumasy-code-injection/</guid><description>A code injection vulnerability (CVE-2026-14749) was identified in mjperpinosa stumasy, affecting versions up to commit 327d1b0f2915ba79d7ef8ebb74553e987609d9be, which allows remote attackers to execute arbitrary code by manipulating the 'mathematical_sentence' argument in the 'eval' function of 'application/pages/imba_calculator/calculate.php', with a public exploit available and no vendor response.</description><content:encoded><![CDATA[<p>A critical code injection vulnerability, identified as CVE-2026-14749, exists in mjperpinosa stumasy, affecting versions up to commit 327d1b0f2915ba79d7ef8ebb74553e987609d9be. This flaw resides within the <code>eval</code> function in the <code>application/pages/imba_calculator/calculate.php</code> file, allowing remote attackers to execute arbitrary code by manipulating the <code>mathematical_sentence</code> argument. The vulnerability has a CVSS v3.1 Base Score of 7.3 and is publicly exploitable. While the product utilizes a rolling release strategy, preventing the enumeration of specific affected or patched versions, the vendor has not yet responded to the reported issue, leaving deployments exposed. Defenders must be aware that readily available exploits facilitate widespread targeting of unpatched instances.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker identifies a public-facing instance of mjperpinosa stumasy.</li>
<li>The attacker crafts an HTTP POST or GET request targeting the <code>application/pages/imba_calculator/calculate.php</code> endpoint on the vulnerable server.</li>
<li>The request includes a specially crafted <code>mathematical_sentence</code> parameter containing arbitrary PHP code (e.g., <code>1+1; system('id');</code>).</li>
<li>The vulnerable <code>eval</code> function in <code>application/pages/imba_calculator/calculate.php</code> processes the <code>mathematical_sentence</code> argument without proper sanitization.</li>
<li>The malicious PHP code embedded within the <code>mathematical_sentence</code> argument is executed by the server process.</li>
<li>The server's HTTP response may reveal the output of the executed command, confirming successful code injection and providing initial access.</li>
<li>The attacker leverages this remote code execution to download further malware, establish persistence, exfiltrate sensitive data, or perform other malicious actions on the compromised server.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>The exploitation of CVE-2026-14749 grants remote attackers arbitrary code execution capabilities on affected mjperpinosa stumasy instances. Given the public availability of an exploit and the vendor's non-response to the reported issue, organizations running this software are at high risk. Successful exploitation can lead to complete system compromise, data theft, defacement, or further lateral movement within the network, potentially impacting critical business operations and exposing sensitive information to unauthorized parties.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the <code>Detects CVE-2026-14749 Exploitation — stumasy Code Injection</code> Sigma rule to your SIEM and tune for your environment to identify exploitation attempts.</li>
<li>Implement a Web Application Firewall (WAF) to detect and block suspicious requests containing shell metacharacters targeting <code>application/pages/imba_calculator/calculate.php</code> as identified by the <code>Detects CVE-2026-14749 Exploitation — stumasy Code Injection</code> Sigma rule.</li>
<li>Monitor web server access logs for requests to <code>application/pages/imba_calculator/calculate.php</code> with unusual <code>mathematical_sentence</code> parameter values, indicating potential code injection attempts.</li>
<li>Prioritize patching or implementing compensating controls for any mjperpinosa stumasy deployments until the vendor releases a fix for CVE-2026-14749.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>web-vulnerability</category><category>code-injection</category><category>rce</category><category>php</category></item></channel></rss>