CVE-2026-10806 mjperpinosa CVE debrief

Who should care

Users of stumasy, especially those exposed to remote attacks, should be aware of this vulnerability. Given its low CVSS score of 2.1, it may not be a high priority, but it still poses a risk, especially since the exploit has been made public.

Technical summary

The vulnerability, CVE-2026-10806, is an unrestricted upload issue in stumasy, specifically in the file application/PHP/objects/updates/add_post.php. The manipulation of the argument up_file_to_post allows for unrestricted upload, which can be exploited remotely. The CVSS vector is CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.

Defensive priority

Low

Recommended defensive actions

• Apply patches or updates as soon as they are available, especially if they address this specific vulnerability.
• Monitor the project for updates or responses regarding this issue.
• Consider implementing additional security measures to protect against unrestricted upload attacks, such as validating file types and sizes.

Evidence notes

The vulnerability has been made public and could be used. The project was informed early but has not responded yet. The product uses a rolling release model, making specific version information for affected or updated releases unavailable.

Official resources