Skip to main content

Stumasy

3 CVEs product

Monthly

CVE-2026-14751 LOW POC Monitor

SQL injection in stumasy's notes search functionality exposes authenticated remote attackers to database manipulation via the unsanitized `field_name` parameter in `Notes_controller::search_scratch_data`. The affected PHP application by developer mjperpinosa has a publicly available proof-of-concept exploit filed as GitHub issue #7, and the maintainer has not responded to disclosure, leaving all users on any commit through 327d1b0f2915ba79d7ef8ebb74553e987609d9be without a remediation path. No public exploit identified at time of analysis meets the KEV threshold, but the confirmed POC and absence of vendor response meaningfully elevate operational risk.

SQLi PHP Stumasy
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-14750 MEDIUM POC This Month

SQL injection in stumasy's Notes_controller grants remote unauthenticated attackers the ability to manipulate database queries through the unsanitized Password argument in the accessing_dictionary_authorization function. The affected codebase is an obscure PHP application maintained by mjperpinosa, pinned to commit 327d1b0f2915ba79d7ef8ebb74553e987609d9be as the last known vulnerable state. Publicly available exploit code exists via a GitHub issue report, and the project maintainer has not responded to disclosure, leaving no vendor-released patch at time of analysis.

SQLi PHP Stumasy
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14749 MEDIUM POC This Month

Remote PHP code injection in stumasy's calculator module allows unauthenticated network attackers to execute arbitrary server-side code by manipulating the `mathematical_sentence` parameter passed unsanitized into PHP's `eval()` function in calculate.php. A public proof-of-concept exploit exists (GitHub issue #5), and no patch has been released - the project maintainer has not responded to the disclosure. The rolling release model means no fixed version can be cited; the vulnerability is present through at least commit 327d1b0f2915ba79d7ef8ebb74553e987609d9be.

Code Injection PHP RCE Stumasy
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
EPSS 0% CVSS 2.1
LOW POC Monitor

SQL injection in stumasy's notes search functionality exposes authenticated remote attackers to database manipulation via the unsanitized `field_name` parameter in `Notes_controller::search_scratch_data`. The affected PHP application by developer mjperpinosa has a publicly available proof-of-concept exploit filed as GitHub issue #7, and the maintainer has not responded to disclosure, leaving all users on any commit through 327d1b0f2915ba79d7ef8ebb74553e987609d9be without a remediation path. No public exploit identified at time of analysis meets the KEV threshold, but the confirmed POC and absence of vendor response meaningfully elevate operational risk.

SQLi PHP Stumasy
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

SQL injection in stumasy's Notes_controller grants remote unauthenticated attackers the ability to manipulate database queries through the unsanitized Password argument in the accessing_dictionary_authorization function. The affected codebase is an obscure PHP application maintained by mjperpinosa, pinned to commit 327d1b0f2915ba79d7ef8ebb74553e987609d9be as the last known vulnerable state. Publicly available exploit code exists via a GitHub issue report, and the project maintainer has not responded to disclosure, leaving no vendor-released patch at time of analysis.

SQLi PHP Stumasy
NVD VulDB GitHub
EPSS 0% CVSS 5.5
MEDIUM POC This Month

Remote PHP code injection in stumasy's calculator module allows unauthenticated network attackers to execute arbitrary server-side code by manipulating the `mathematical_sentence` parameter passed unsanitized into PHP's `eval()` function in calculate.php. A public proof-of-concept exploit exists (GitHub issue #5), and no patch has been released - the project maintainer has not responded to the disclosure. The rolling release model means no fixed version can be cited; the vulnerability is present through at least commit 327d1b0f2915ba79d7ef8ebb74553e987609d9be.

Code Injection PHP RCE +1
NVD VulDB GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy