CVE-2026-14751
Received Received - Intake

SQL Injection in mjperpinosa stumasy

Vulnerability report for CVE-2026-14751, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-05

Last updated on: 2026-07-05

Assigner: VulDB

Description

A weakness has been identified in mjperpinosa stumasy up to 327d1b0f2915ba79d7ef8ebb74553e987609d9be. The impacted element is the function Notes_controller::search_scratch_data of the file application/PHP/objects/notes/search_scratch_data.php. This manipulation of the argument field_name causes sql injection. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-05
Last Modified
2026-07-05
Generated
2026-07-05
AI Q&A
2026-07-05
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
mjperpinosa stumasy to 327d1b0f2915ba79d7ef8ebb74553e987609d9be (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a blind SQL injection in the Stumasy application, specifically in the function Notes_controller::search_scratch_data within the file application/PHP/objects/notes/search_scratch_data.php.

The issue arises because the application directly inserts the user-supplied 'field_name' parameter into a SQL query without proper validation or allowlisting. This allows an attacker to inject malicious SQL code into the query's WHERE clause.

An authenticated attacker can exploit this by sending crafted requests with SQL injection payloads in the 'field_name' parameter, enabling them to execute arbitrary SQL commands indirectly.

The vulnerability was confirmed with a proof of concept using a time-based blind SQL injection technique, where the response time increased significantly, indicating successful execution of injected SQL.

Impact Analysis

This vulnerability can allow an attacker to infer and extract sensitive information from the database by exploiting the blind SQL injection flaw.

Because the injection occurs in a parameter that controls SQL identifiers, it bypasses protections like prepared statements that only secure bound values.

An attacker could potentially disclose sensitive data belonging to other users, leading to data breaches.

Since the attack can be initiated remotely by an authenticated user, it poses a significant risk to the confidentiality and integrity of the application's data.

Detection Guidance

This vulnerability can be detected by testing the `field_name` parameter in the `search_scratch_data.php` file for SQL injection. Specifically, sending crafted requests with SQL injection payloads such as time-based blind SQL injection can reveal the issue.

A proof of concept involves injecting a payload like `SLEEP(1)` into the `field_name` parameter and observing the response time. A significant increase in response time (e.g., from 0.01 seconds to 12 seconds) confirms successful SQL injection.

  • Send a POST request to the vulnerable endpoint with a payload in the `field_name` parameter that includes `SLEEP(1)` or similar SQL injection syntax.
  • Example command using curl to test the vulnerability (replace URL and parameters accordingly):
  • curl -X POST -d "field_name=valid_field_name OR SLEEP(5)-- " https://targetsite/application/PHP/objects/notes/search_scratch_data.php

If the response time is noticeably delayed, it indicates the presence of the SQL injection vulnerability.

Mitigation Strategies

Immediate mitigation steps include validating and allowlisting the `field_name` parameter to ensure only expected and safe values are accepted.

Avoid directly inserting user-supplied input into SQL queries, especially for SQL identifiers or syntax elements. Use parameterized queries or prepared statements where possible, but note that prepared statements do not protect SQL identifiers.

Restrict access to the vulnerable functionality to trusted users only, as exploitation requires authentication.

Monitor logs for suspicious activity involving the `field_name` parameter and unusual delays in response times.

Since the project has not yet released a fix, consider applying temporary patches or code changes to sanitize or restrict input before a proper update is available.

Compliance Impact

The SQL injection vulnerability in the Stumasy application allows attackers to infer and potentially disclose sensitive information belonging to other users by exploiting the 'field_name' parameter. Such unauthorized access and disclosure of personal or sensitive data can lead to non-compliance with data protection regulations like GDPR and HIPAA, which mandate the protection of personal data and require organizations to implement adequate security measures to prevent data breaches.

Specifically, this vulnerability could result in unauthorized access to personal data, violating principles of data confidentiality and integrity required by these standards. Organizations using this software may face legal and regulatory consequences if the vulnerability is exploited and leads to data breaches.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-14751. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart