CVE-2026-10806: Unrestricted File Upload in mjperpinosa stumasy
CVE-2026-10806 is a medium-severity file upload vulnerability in mjperpinosa stumasy affecting the add_post.php component. An authenticated attacker can manipulate the up_file_to_post parameter to upload files without proper restrictions, potentially allowing arbitrary file placement on the server. The vulnerability requires valid login credentials but can be exploited over the network. Exploit code has been publicly disclosed, increasing practical risk.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
- Weaknesses (CWE)
- CWE-284, CWE-434
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-04 / 2026-06-17
NVD description (verbatim)
A vulnerability was found in mjperpinosa stumasy. The affected element is an unknown function of the file application/PHP/objects/updates/add_post.php. Performing a manipulation of the argument up_file_to_post results in unrestricted upload. The attack may be initiated remotely. The exploit has been made public and could be used. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The project was informed of the problem early through an issue report but has not responded yet.
6 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability exists in application/PHP/objects/updates/add_post.php where insufficient input validation and access control on the up_file_to_post argument permits unrestricted file uploads. The affected code path lacks proper validation of file type, size, or destination, combined with inadequate permission checks (CWE-284 improper access control and CWE-434 unrestricted upload of dangerous file types). An authenticated user with POST privileges can bypass upload controls by directly manipulating the parameter value. The attack surface is network-accessible and requires only valid authentication to trigger.
Business impact
Successful exploitation enables attackers to upload arbitrary files to the server, creating multiple business risks: malicious script injection for lateral movement, website defacement, malware distribution, data exfiltration through uploaded shells, and potential compromise of server integrity. For organizations relying on mjperpinosa stumasy for content management, this represents a direct path from authenticated user to system compromise. The public availability of exploit code shortens the window between vulnerability awareness and active attack attempts.
Affected systems
mjperpinosa stumasy is affected across its rolling release model. The project does not maintain versioned releases, making blanket version recommendations impossible. Any deployment of this project should be considered potentially vulnerable unless the development team confirms a patch has been deployed. Organizations must verify their specific installation against the project's current development branch or issue tracker for patch status.
Exploitability
Exploitability is moderate-to-high. The attack requires valid authentication (reducing casual exploitation but not enterprise risk, since internal threats and compromised accounts remain common), but no special privileges beyond standard user role are needed. Network accessibility removes geographic barriers. The CVSS score of 6.3 reflects the authentication requirement, but public exploit availability significantly accelerates time-to-weaponization. Threat actors monitoring public disclosures can deploy attacks within hours to days.
Remediation
Contact the mjperpinosa stumasy project immediately to verify patch status, as no specific version information is available due to the rolling release model. Request security advisories or patch commits from the development team. Implement immediate compensating controls: enforce strict file upload validation (whitelist file types, verify MIME types, enforce size limits), restrict upload destination permissions to prevent script execution, implement file scanning before storage, and audit recent uploads for suspicious files. Limit the upload functionality to users who genuinely require it, and monitor for unauthorized file creation in upload directories.
Patch guidance
Because mjperpinosa stumasy uses a rolling release model, patch deployment is non-standard. Verify the current state of add_post.php in the project's development repository or contact maintainers directly for confirmation that the up_file_to_post validation has been corrected. When updating, confirm that file upload restrictions are enforced server-side and that files are stored outside the web root or in a directory with execution disabled. Test upload functionality post-patch to ensure both security and legitimate use cases remain functional. Track the project's issue tracker and commit history for security-related fixes.
Detection guidance
Monitor application logs for: POST requests to add_post.php with unusual or suspicious up_file_to_post values; file uploads with mismatched extensions or MIME types; uploads to unexpected directories; and creation of executable files (.php, .jsp, .asp, .exe) in upload folders. Implement file integrity monitoring on upload directories to alert on unexpected file appearance. Log authentication events to correlate uploads with user accounts. Use Web Application Firewalls (WAF) to block requests with encoded or obfuscated up_file_to_post payloads. Review recent file creation timestamps in upload directories against application logs to identify potential compromise windows.
Why prioritize this
This vulnerability merits prompt attention despite a MEDIUM CVSS score because: (1) exploitability is demonstrated and public, (2) authentication requirement is lower-impact in environments with user-facing platforms or internal threats, (3) file upload vulnerabilities frequently serve as entry points for post-exploitation activities, and (4) the rolling release model creates uncertainty about patch availability and deployment status. Organizations using mjperpinosa stumasy should treat this as higher-priority than the CVSS score alone suggests.
Risk score, explained
CVSS 6.3 (MEDIUM) reflects: network-accessible attack vector (AV:N), low complexity requiring only parameter manipulation (AC:L), requirement for authentication (PR:L), no user interaction needed (UI:N), single trust boundary impact (S:U), and confidentiality, integrity, and availability each slightly impacted (C:L/I:L/A:L). The score correctly penalizes the authentication gate but does not fully capture the elevated risk from public exploit code and the common role of file uploads in multi-stage attacks. In practice, organizations may justify treating this as higher-priority than the numeric score suggests.
Frequently asked questions
What happens if an attacker uploads a web shell using this vulnerability?
A web shell becomes an interactive backdoor permitting the attacker to execute arbitrary commands, read sensitive files, modify database records, pivot to other systems, and maintain persistent access. This is why file upload vulnerabilities are frequently the first stage in targeted attacks. Immediate file scanning and directory permission hardening are critical.
Does this vulnerability affect my organization if uploads are disabled in our configuration?
If the add_post.php upload functionality is completely disabled or unreachable in your deployment, the vulnerability surface is eliminated. However, verify this is enforced both in application code and firewall/network rules. Do not rely solely on user role restrictions.
How do I know if mjperpinosa stumasy has released a patch for this?
Check the project's GitHub repository (or equivalent source control), issue tracker, and security advisories directly. Contact the maintainers if no public information is available. Document your verification, as the rolling release model means no canonical version number marks the fix. Apply updates systematically and re-test upload functionality.
Is authentication a real barrier if our application is public-facing?
Not reliably. User registration is common, compromised credentials circulate, and internal threats exist. The authentication requirement reduces casual exploit likelihood but should not be the primary control. Implement layered validation: server-side file checks, execution prevention in upload directories, and monitoring for suspicious uploads.
This analysis is based on CVE-2026-10806 as published and available source data. mjperpinosa stumasy uses a rolling release model without versioned releases; specific patch version numbers and affected version ranges are not available from official sources. Organizations must independently verify patch status and applicability to their deployments by contacting the project maintainers or reviewing the development repository. This page does not constitute professional security advice and should be supplemented with vendor guidance, internal risk assessment, and organization-specific threat modeling. Exploit code availability and public disclosure status may change; verify current threat landscape through established vulnerability feeds. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10172MEDIUMBdtask Multi-Store Inventory 1.0 Unrestricted File Upload Vulnerability
- CVE-2026-10205MEDIUMUnrestricted File Upload in Metasoft MetaCRM 6.4.0 – Exploit Details & Remediation
- CVE-2026-10807MEDIUMUnrestricted File Upload in mjperpinosa stumasy Profile Image Handler
- CVE-2024-27891MEDIUMArista EOS MACsec + Egress ACL Policy Enforcement Failure
- CVE-2026-10152MEDIUMImproper Access Control in TaleLin lin-cms-spring-boot Book Endpoint
- CVE-2026-10255MEDIUMPharmacy Sales System Authentication Bypass – SourceCodester 1.0
- CVE-2026-10277MEDIUMImproper Access Control in MCP Google Workspace Gmail Tool
- CVE-2026-11017MEDIUMChrome Link Preview Navigation Bypass (CVSS 6.5)