CVE-2026-14750
Received Received - Intake

SQL Injection in Stumasy Notes Controller

Vulnerability report for CVE-2026-14750, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-05

Last updated on: 2026-07-05

Assigner: VulDB

Description

A security flaw has been discovered in mjperpinosa stumasy up to 327d1b0f2915ba79d7ef8ebb74553e987609d9be. The affected element is the function Notes_controller::accessing_dictionary_authorization of the file application/PHP/objects/notes/accessing_dictionary_authorization.php. The manipulation of the argument Password results in sql injection. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The project was informed of the problem early through an issue report but has not responded yet.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-05
Last Modified
2026-07-05
Generated
2026-07-05
AI Q&A
2026-07-05
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
mjperpinosa stumasy to 327d1b0f2915ba79d7ef8ebb74553e987609d9be (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a SQL injection flaw in the mjperpinosa stumasy application, specifically in the function Notes_controller::accessing_dictionary_authorization. The issue arises because the user-supplied Password argument is directly concatenated into a SQL query without proper sanitization or parameterization.

An attacker can exploit this by injecting SQL code into the Password field, such as using boolean-based payloads like closing the password string and appending conditions like OR 1=1. This allows bypassing password checks and gaining unauthorized access to the dictionary authorization system.

The vulnerability exists because the prepare() function is used incorrectly, still allowing untrusted input to be concatenated into the SQL query.

Impact Analysis

Exploiting this vulnerability can allow an attacker to bypass authentication controls and gain unauthorized access to the dictionary authorization system.

Depending on the database configuration, the attacker may also be able to manipulate or extract sensitive data from the database.

This can lead to data breaches, unauthorized data modification, and potentially further compromise of the application or underlying systems.

Detection Guidance

This vulnerability can be detected by sending crafted HTTP requests to the dictionary authorization endpoint that include SQL injection payloads in the Password argument. For example, injecting boolean-based SQL payloads such as closing the password string and appending conditions like 'OR 1=1' can be used to test if the system improperly authorizes access.

A practical detection method involves sending a malformed password payload via an HTTP request and observing if the response indicates successful authorization (true) instead of rejection (false).

  • Use curl or similar tools to send a request with a payload like: curl -X POST -d 'Password=anything' OR 1=1 http://target/application/PHP/objects/notes/accessing_dictionary_authorization.php
  • Monitor network traffic for unusual or malformed SQL payloads targeting the Password parameter in requests to the Notes_controller::accessing_dictionary_authorization function.
Mitigation Strategies

Immediate mitigation steps include preventing the injection of untrusted input into SQL queries by properly sanitizing and parameterizing the Password argument in the affected function.

Since the vulnerability arises from improper use of the prepare() function allowing concatenation of untrusted input, ensure that all SQL queries use parameterized statements correctly without string concatenation.

If possible, restrict access to the vulnerable endpoint to trusted networks or users until a patch or update is available.

Monitor logs for suspicious authorization attempts that may indicate exploitation attempts.

Compliance Impact

The SQL injection vulnerability in the mjperpinosa stumasy application allows attackers to bypass password checks and potentially gain unauthorized access to sensitive data. This unauthorized access and potential data manipulation or extraction can lead to violations of data protection regulations such as GDPR and HIPAA, which require strict controls over access to personal and sensitive information.

Specifically, the vulnerability could result in unauthorized disclosure or alteration of protected data, undermining confidentiality, integrity, and availability requirements mandated by these standards.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-14750. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart