CVE-2026-10807 in stumasy
Summary
by MITRE • 06/04/2026
A vulnerability was determined in mjperpinosa stumasy. The impacted element is an unknown function of the file application/PHP/objects/profiles/change_profile_image.php. Executing a manipulation of the argument pr_profile_image can lead to unrestricted upload. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. The project was informed of the problem early through an issue report but has not responded yet.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 06/04/2026
The vulnerability identified in the mjperpinosa stumasy application represents a critical security flaw in the profile image upload functionality. This issue resides within the change_profile_image.php file located in the application/PHP/objects/profiles directory, where an insufficient input validation mechanism allows attackers to manipulate the pr_profile_image argument. The flaw constitutes a classic unrestricted file upload vulnerability that enables remote attackers to execute arbitrary code on the target system. The vulnerability has been publicly disclosed and is actively being exploited, making it particularly dangerous as threat actors can immediately leverage this weakness without requiring advanced techniques or specialized tools.
The technical implementation of this vulnerability stems from inadequate sanitization and validation of user-supplied input parameters. When the pr_profile_image argument is processed, the application fails to properly validate the file type, size, or content, allowing malicious users to upload files with potentially harmful extensions such as php, phtml, or other server-side executable formats. This weakness directly maps to CWE-434 Unrestricted Upload of File with Dangerous Type, which is categorized under the CWE Top 25 Most Dangerous Software Weaknesses. The vulnerability's remote exploitability means that attackers can initiate the attack from any location without requiring physical access to the system, making it particularly attractive to cybercriminals operating at scale.
The operational impact of this vulnerability extends beyond simple unauthorized file uploads, as it can lead to complete system compromise. Successful exploitation allows attackers to upload malicious web shells or backdoors that can be used to maintain persistent access, escalate privileges, and exfiltrate sensitive data. The rolling release nature of this application compounds the security risk, as there are no definitive version numbers to identify affected systems, making it difficult for administrators to determine their exposure level. This continuous delivery model, while beneficial for feature updates, creates challenges for vulnerability management since there's no clear version control to reference when assessing risk. The lack of response from the project maintainers following the initial issue report indicates a potential security governance gap that leaves users exposed to ongoing exploitation.
Mitigation strategies should focus on immediate defensive measures while implementing long-term architectural improvements. Organizations should implement strict file type validation using allowlists rather than denylists, enforce proper file extension checking, and implement content-type verification mechanisms. The system should validate that uploaded files match their claimed MIME types and reject any files that do not conform to expected patterns. Additionally, uploaded files should be stored outside the web root directory and executed with appropriate permissions that prevent code execution. Network-level defenses including web application firewalls and intrusion detection systems should be configured to monitor for suspicious upload patterns and file content. The vulnerability also highlights the importance of maintaining up-to-date security practices and establishing clear communication channels between security researchers and project maintainers to ensure timely vulnerability disclosure and remediation. This issue aligns with ATT&CK technique T1190 Exploit Public-Facing Application, which emphasizes the exploitation of vulnerabilities in externally accessible applications to gain initial access to target systems.