MEDIUM 6.3

CVE-2026-10807: Unrestricted File Upload in mjperpinosa stumasy Profile Image Handler

A file upload vulnerability exists in mjperpinosa stumasy that allows authenticated users to upload files without proper validation. By manipulating the profile image upload parameter in the application's profile management component, an attacker with login credentials can bypass upload restrictions and place arbitrary files on the server. The vulnerability requires authentication but poses meaningful risk to confidentiality, integrity, and availability of the affected system.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Weaknesses (CWE)
CWE-284, CWE-434
Affected products
0 configuration(s)
Published / Modified
2026-06-04 / 2026-06-17

NVD description (verbatim)

A vulnerability was determined in mjperpinosa stumasy. The impacted element is an unknown function of the file application/PHP/objects/profiles/change_profile_image.php. Executing a manipulation of the argument pr_profile_image can lead to unrestricted upload. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. The project was informed of the problem early through an issue report but has not responded yet.

6 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-10807 is an unrestricted file upload vulnerability located in the profile image change functionality (application/PHP/objects/profiles/change_profile_image.php). The vulnerability stems from inadequate validation of the pr_profile_image parameter, allowing authenticated users to circumvent upload controls. This maps to CWE-284 (improper access control) and CWE-434 (unrestricted upload of dangerous file types), indicating both authorization and input validation gaps. The CVSS v3.1 score of 6.3 (MEDIUM) reflects the requirement for valid credentials but acknowledges the potential for lateral damage across confidentiality, integrity, and availability.

Business impact

Successful exploitation could enable attackers to host malicious files, inject web shells for command execution, or replace legitimate application assets with compromised versions. For organizations running mjperpinosa stumasy, this creates risk of account compromise proliferation, malware distribution, or complete application compromise depending on server configuration and file permissions. The requirement for prior authentication limits the immediate blast radius but does not eliminate risk, particularly in environments with weak credential hygiene or where user accounts are compromised through other means.

Affected systems

mjperpinosa stumasy is affected. The project operates on a rolling release basis without discrete versioned releases, meaning all active deployments should be considered potentially vulnerable until patching is confirmed. Organizations running this application should inventory their instances and verify their current state against vendor guidance.

Exploitability

The vulnerability is exploitable remotely by any user with valid authentication credentials. The attack complexity is low—the pr_profile_image parameter can be manipulated through standard HTTP requests during normal profile update workflows. Exploit code and proof-of-concept details have been publicly disclosed, lowering the barrier to exploitation. This vulnerability is not currently listed on CISA's Known Exploited Vulnerabilities catalog, but the public disclosure means defensive prioritization should not rely on exploit rarity.

Remediation

Immediate remediation requires proper input validation and upload restriction controls on the profile image upload endpoint. Implement strict file type whitelisting (verify MIME type and magic bytes, not just file extension), enforce size limits, store uploads outside the web root, disable script execution in upload directories, and apply principle of least privilege to file permissions. Until patches are available, consider temporarily disabling profile image uploads or restricting the feature to administrative users only. Contact mjperpinosa stumasy project maintainers for patch availability and timeline.

Patch guidance

The project operates on a rolling release basis and has not yet responded to the early disclosure. Verify with the official mjperpinosa stumasy repository and advisory channels for patch availability. When updates are released, apply them to all instances as soon as testing permits. Given the lack of discrete versioning, monitor the project's main branch or release notifications closely. If patches are delayed, implement compensating controls (upload restrictions, Web Application Firewall rules) to reduce attack surface while awaiting fixes.

Detection guidance

Monitor application logs for POST requests to change_profile_image.php with suspicious pr_profile_image parameter values, particularly those containing script tags, executable extensions, or encoded payloads. Inspect uploaded files in the profile image directory for unexpected file types or modifications. Check for web shells or suspicious scripts in upload directories. Log all authentication events and correlate with upload activity to identify compromised accounts performing uploads. Implement file integrity monitoring on uploaded assets to detect unauthorized changes.

Why prioritize this

Although the CVSS score is MEDIUM (6.3), this vulnerability warrants prompt attention because: (1) exploit code is publicly available, reducing time-to-weaponization; (2) the attack surface includes all authenticated users, potentially dozens or hundreds in multi-user deployments; (3) unrestricted file upload can lead to remote code execution depending on server configuration; (4) the vendor has not yet acknowledged or patched the issue, creating extended exposure. Organizations should treat this as a high-priority remediation candidate despite the MEDIUM CVSS score.

Risk score, explained

The CVSS 3.1 score of 6.3 (MEDIUM) reflects: (1) Network Attack Vector (AV:N) — exploitable from the internet; (2) Low Attack Complexity (AC:L) — no special conditions required; (3) Low Privilege requirement (PR:L) — authenticated access needed, which is a limiting factor; (4) No User Interaction required (UI:N) — attacker can act unilaterally; (5) impact to Confidentiality, Integrity, and Availability (C:L/I:L/A:L) — each moderately affected. The MEDIUM rating appropriately captures the severity while acknowledging the authentication barrier. However, in environments with password reuse, phishing vulnerability, or compromised internal accounts, the practical risk may be higher.

Frequently asked questions

Does this vulnerability require administrative access to exploit?

No. The vulnerability requires valid user authentication but not administrative privileges. Any user with a working account can attempt exploitation through the profile image upload feature, making it accessible to potentially many users depending on application deployment and user management practices.

What file types can be uploaded through this vulnerability?

The vulnerability allows unrestricted upload of arbitrary file types because input validation is insufficient. Depending on server configuration, this could include executable scripts (.php, .jsp, .asp), archives (.zip, .tar), or other malicious payloads. The lack of proper file type enforcement is a core component of the vulnerability.

Is there a patch available for mjperpinosa stumasy?

As of the vulnerability disclosure, the project has not responded to early notification and no patch has been released. The application uses rolling releases without discrete version numbers. Monitor official project channels and repositories for updates. In the interim, implement compensating controls such as upload restrictions or Web Application Firewall rules.

If this is only MEDIUM severity, why should we prioritize it?

CVSS does not capture all real-world risk factors. Public exploit availability, the breadth of potential attackers (any authenticated user), and the possibility of remote code execution in typical configurations make this a practical high-priority remediation target despite the MEDIUM CVSS score. Prioritization should consider threat landscape, not CVSS alone.

This analysis is provided for informational purposes. SEC.co does not provide legal advice or guarantee the accuracy of third-party vendor information. Organizations should verify all patch availability, affected version status, and remediation guidance directly with mjperpinosa stumasy maintainers and their own security teams. Implement changes only after thorough testing in non-production environments. This vulnerability is not currently listed on CISA's Known Exploited Vulnerabilities catalog, but public exploit disclosure means active monitoring is recommended. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).