Description
A vulnerability was determined in mjperpinosa stumasy. The impacted element is an unknown function of the file application/PHP/objects/profiles/change_profile_image.php. Executing a manipulation of the argument pr_profile_image can lead to unrestricted upload. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-06-04
Score: 5.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in mjperpinosa stumasy allows an attacker to upload files without restriction by manipulating the pr_profile_image parameter in change_profile_image.php. Because the application accepts arbitrary files and lacks proper validation, it permits the injection of malicious scripts or executables. This can lead to Remote Code Execution or other unauthorized actions, representing a significant confidentiality, integrity, and availability risk. The weakness corresponds to CWE-284 (Improper Access Control) and CWE-434 (Unrestricted Upload of File with Dangerous Type).

Affected Systems

The affected product is mjperpinosa stumasy, which is maintained on a rolling‑release model and does not provide explicit versioned releases. All deployed instances of stumasy that include the change_profile_image.php module are potentially impacted, regardless of the build or deployment date.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity, and the lack of an EPSS score or KEV listing suggests no known widespread exploitation yet. However, the vulnerability is publicly disclosed and can be triggered remotely, meaning that any user with access to the profile image upload endpoint could upload a crafted file. If the web server or application permits execution of the uploaded content, an attacker could gain remote code execution. Even without execution, the ability to place arbitrary files can be used for phishing, data exfiltration, or persistence. The risk is therefore non-negligible and warrants active mitigation.

Generated by OpenCVE AI on June 4, 2026 at 14:57 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check if the latest version or fork of stumasy includes a fix for unrestricted file uploads and apply any available updates or patches.
  • Restrict uploaded file types by validating MIME types, checking extensions, and enforcing a whitelist of allowed image formats; configure the server to treat uploads as non-executable blobs.
  • Add server‑side validation that examines the file content (magic bytes) to ensure only legitimate image files are accepted, rejecting or quarantining any file that does not match the expected format.
  • Enforce proper access control so that only authenticated and authorized users can request the change_profile_image.php endpoint, and log all upload attempts for audit purposes.

Generated by OpenCVE AI on June 4, 2026 at 14:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 04 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 04 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in mjperpinosa stumasy. The impacted element is an unknown function of the file application/PHP/objects/profiles/change_profile_image.php. Executing a manipulation of the argument pr_profile_image can lead to unrestricted upload. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. The project was informed of the problem early through an issue report but has not responded yet.
Title mjperpinosa stumasy change_profile_image.php unrestricted upload
First Time appeared Mjperpinosa
Mjperpinosa stumasy
Weaknesses CWE-284
CWE-434
CPEs cpe:2.3:a:mjperpinosa:stumasy:*:*:*:*:*:*:*:*
Vendors & Products Mjperpinosa
Mjperpinosa stumasy
References
Metrics cvssV2_0

{'score': 6.5, 'vector': 'AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 6.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Mjperpinosa Stumasy
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-06-04T13:48:22.393Z

Reserved: 2026-06-04T05:14:46.616Z

Link: CVE-2026-10807

cve-icon Vulnrichment

Updated: 2026-06-04T13:48:18.940Z

cve-icon NVD

Status : Deferred

Published: 2026-06-04T14:16:36.790

Modified: 2026-06-04T14:41:25.017

Link: CVE-2026-10807

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-04T15:00:15Z

Weaknesses