Skip to content
Threat Feed

Vendor

Mjperpinosa

3 briefs RSS
high advisory

CVE-2026-14753: mjperpinosa stumasy Authorization Bypass

A critical authorization bypass vulnerability (CVE-2026-14753) has been identified in mjperpinosa stumasy, affecting versions up to and including commit 327d1b0f2915ba79d7ef8ebb74553e987609d9be. This flaw, residing in an unknown function within the /PHP/objects/notes file of the Note Handler/Assignment Handler component, allows a remote attacker to bypass authorization by manipulating the 'assignment_item_id' argument. A public exploit is available, posing an immediate threat.

stumasy authorization-bypass web-application vulnerability cve
2t 1c 1i
high advisory

CVE-2026-14750 — SQL Injection in mjperpinosa stumasy via Password Argument

A high-severity remote SQL injection vulnerability (CVE-2026-14750) exists in mjperpinosa stumasy up to commit 327d1b0f2915ba79d7ef8ebb74553e987609d9be, allowing unauthenticated attackers to manipulate the 'Password' argument in the `Notes_controller::accessing_dictionary_authorization` function to execute arbitrary SQL queries, leading to data exfiltration, manipulation, or potential server compromise via a publicly available exploit.

stumasy sql-injection web-application cve unauthenticated remote-code-execution data-exfiltration
1r 3t 1c
high advisory

CVE-2026-14749: mjperpinosa stumasy Code Injection Vulnerability

A code injection vulnerability (CVE-2026-14749) was identified in mjperpinosa stumasy, affecting versions up to commit 327d1b0f2915ba79d7ef8ebb74553e987609d9be, which allows remote attackers to execute arbitrary code by manipulating the 'mathematical_sentence' argument in the 'eval' function of 'application/pages/imba_calculator/calculate.php', with a public exploit available and no vendor response.

stumasy web-vulnerability code-injection rce php
1r 2t 1c