Skip to main content

Stumasy CVE-2026-10807

| EUVD-2026-34253 LOW
Unrestricted Upload of File with Dangerous Type (CWE-434)
2026-06-04 VulDB GHSA-hv9x-95wf-v38q
PHP File Upload
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

3
Severity Changed
Jun 04, 2026 - 14:22 NVD
MEDIUM LOW
CVSS changed
Jun 04, 2026 - 14:22 NVD
6.3 (MEDIUM) 2.1 (LOW)
Analysis Generated
Jun 04, 2026 - 14:18 vuln.today

DescriptionCVE.org

A vulnerability was determined in mjperpinosa stumasy. The impacted element is an unknown function of the file application/PHP/objects/profiles/change_profile_image.php. Executing a manipulation of the argument pr_profile_image can lead to unrestricted upload. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. The project was informed of the problem early through an issue report but has not responded yet.

AnalysisAI

Unrestricted file upload in Stumasy (mjperpinosa) allows a low-privileged authenticated attacker to upload arbitrary files through the profile image change endpoint, potentially enabling server-side code execution. The vulnerable parameter pr_profile_image in application/PHP/objects/profiles/change_profile_image.php performs no meaningful file type validation, making it trivial to submit non-image payloads including PHP webshells. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privilege user account
Delivery
Authenticate to Stumasy application
Exploit
POST crafted multipart request to change_profile_image.php
Execution
Upload PHP webshell via pr_profile_image parameter
Persist
Request uploaded webshell URL via browser
Impact
Execute arbitrary server-side commands
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid low-privilege authenticated session on the Stumasy application - any registered user account is sufficient, as the CVSS vector specifies PR:L (low privileges required). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD CVSS score of 6.3 (Medium) reflects C:L/I:L/A:L - a conservative impact assessment that may understate real-world risk for an unrestricted PHP file upload vulnerability, which commonly leads to full remote code execution if uploaded files are web-accessible. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or compromises a low-privilege user account on the Stumasy application, then crafts a multipart HTTP POST request to `change_profile_image.php` with the `pr_profile_image` parameter set to a PHP webshell file (e.g., `shell.php`). If the server stores and serves uploaded files from a web-accessible directory without execution restrictions, the attacker navigates directly to the uploaded file's URL to trigger server-side PHP execution and obtain arbitrary command execution on the host. …
Remediation No vendor-released patch has been identified at time of analysis; the project maintainer has not responded to the disclosure. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-49952 CRITICAL POC
9.3 Jun 15

Authentication bypass in Discuz! X5.0 releases 20260320 through 20260501 allows unauthenticated remote attackers to acce
CVE-2026-49954 HIGH POC
8.6 Jun 15

Authenticated remote code execution in Discuz! X5.0 releases 20260320 through 20260501 allows administrators to chain a

CVE-2026-49768 CRITICAL
9.8 Jun 15

Unauthenticated PHP Object Injection in the Happyforms WordPress plugin (versions <= 1.26.13) allows remote attackers to
CVE-2026-27053 CRITICAL
9.8 Jun 15

Unauthenticated PHP Object Injection in the Broadcast Live Video WordPress plugin (versions prior to 7.1.3) allows remot
CVE-2026-49104 CRITICAL
9.8 Jun 15

Unauthenticated PHP object injection in the WordPress plugin 'Integration for Keap/Infusionsoft and Contact Form 7, WPFo

Share

CVE-2026-10807 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy