CVE-2026-14749
Received Received - Intake

Code Injection in Stumasy via Mathematical Sentence

Vulnerability report for CVE-2026-14749, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-05

Last updated on: 2026-07-05

Assigner: VulDB

Description

A vulnerability was identified in mjperpinosa stumasy up to 327d1b0f2915ba79d7ef8ebb74553e987609d9be. Impacted is the function eval of the file application/pages/imba_calculator/calculate.php. The manipulation of the argument mathematical_sentence leads to code injection. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. The project was informed of the problem early through an issue report but has not responded yet.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-05
Last Modified
2026-07-05
Generated
2026-07-05
AI Q&A
2026-07-05
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
mjperpinosa stumasy to 327d1b0f2915ba79d7ef8ebb74553e987609d9be (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is an unauthenticated PHP code injection in the stumasy project, specifically in the file application/pages/imba_calculator/calculate.php. It occurs because the application directly passes attacker-controlled POST data to the eval() function without any validation or sanitization.

An attacker can send a specially crafted POST request containing malicious PHP code in the value field of a user-supplied JSON array. Since the endpoint does not require authentication, this allows remote attackers to execute arbitrary PHP code on the server.

Impact Analysis

The impact of this vulnerability can be severe. An attacker can execute arbitrary PHP code on the web server, which may lead to:

  • Disclosure of local files
  • Writing files into the web root
  • Executing operating system commands
  • Full compromise of the application and its database, depending on the PHP configuration
Detection Guidance

This vulnerability can be detected by monitoring for suspicious POST requests sent to the endpoint related to the calculator functionality, specifically targeting the file application/pages/imba_calculator/calculate.php.

Look for POST requests containing JSON data where the 'value' field includes PHP code or suspicious payloads that could be evaluated by the eval() function.

You can use network monitoring tools or web server logs to identify such requests.

  • Use curl to test the endpoint with a crafted payload to see if code injection is possible, for example:
  • curl -X POST -H "Content-Type: application/json" -d '{"value":"phpinfo();"}' http://yourserver/application/pages/imba_calculator/calculate.php
  • Check web server access logs for unusual POST requests to the calculator endpoint.
  • Use intrusion detection systems (IDS) or web application firewalls (WAF) to alert on suspicious payloads containing PHP code in POST data.
Mitigation Strategies

Immediate mitigation steps include preventing unauthenticated access to the vulnerable endpoint and disabling the use of eval() on user-supplied input.

Specifically:

  • Restrict access to application/pages/imba_calculator/calculate.php by implementing authentication and authorization controls.
  • Sanitize and validate all user inputs before passing them to any code execution functions.
  • Remove or replace the use of eval() with safer alternatives that do not execute arbitrary code.
  • Monitor logs for exploitation attempts and block suspicious IP addresses.
  • If possible, temporarily disable the vulnerable functionality until a patch or fix is available.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-14749. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart