Description
A vulnerability was found in mjperpinosa stumasy. The affected element is an unknown function of the file application/PHP/objects/updates/add_post.php. Performing a manipulation of the argument up_file_to_post results in unrestricted upload. The attack may be initiated remotely. The exploit has been made public and could be used. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-06-04
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in the add_post.php script of mjperpinosa stumasy allows an attacker to manipulate the up_file_to_post argument and upload arbitrary files without restriction. This can enable the placement of malicious scripts or executables on the server, potentially granting the attacker remote code execution capabilities. The vulnerability is identified as an access control weakness and an unsafe file upload flaw.

Affected Systems

The issue affects the mjperpinosa stumasy application as a whole. Because the project adopts a rolling release model, specific version information is unavailable and any current release could be vulnerable until a fix is applied.

Risk and Exploitability

The CVSS score of 5.3 denotes a medium severity risk. EPSS data is not available, so the estimated exploit probability is unknown, and the vulnerability is not listed in the CISA KEV catalog. The description states that the attack can be launched remotely and that a public exploit exists, which indicates a non‑trivial chance of exploitation if the flaw is not remediated.

Generated by OpenCVE AI on June 4, 2026 at 14:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the project's repository or vendor advisories for an updated release that includes this fix and upgrade immediately once available.
  • If a patch is not yet available, restrict the upload endpoint to authenticated users only and enforce strict file type validation to prevent execution of uploaded content.
  • Continuously monitor upload logs for abnormal or unauthenticated file uploads and block suspicious activity.

Generated by OpenCVE AI on June 4, 2026 at 14:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 04 Jun 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 04 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was found in mjperpinosa stumasy. The affected element is an unknown function of the file application/PHP/objects/updates/add_post.php. Performing a manipulation of the argument up_file_to_post results in unrestricted upload. The attack may be initiated remotely. The exploit has been made public and could be used. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The project was informed of the problem early through an issue report but has not responded yet.
Title mjperpinosa stumasy add_post.php unrestricted upload
First Time appeared Mjperpinosa
Mjperpinosa stumasy
Weaknesses CWE-284
CWE-434
CPEs cpe:2.3:a:mjperpinosa:stumasy:*:*:*:*:*:*:*:*
Vendors & Products Mjperpinosa
Mjperpinosa stumasy
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Mjperpinosa Stumasy
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-04T15:06:43.546Z

Reserved: 2026-06-04T05:14:43.960Z

Link: CVE-2026-10806

cve-icon Vulnrichment

Updated: 2026-06-04T15:03:04.883Z

cve-icon NVD

Status : Deferred

Published: 2026-06-04T14:16:36.593

Modified: 2026-06-04T14:41:25.017

Link: CVE-2026-10806

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-04T15:00:15Z

Weaknesses