CVE-2026-14752
Received Received - Intake

Stored XSS in Stumasy Application

Vulnerability report for CVE-2026-14752, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-05

Last updated on: 2026-07-05

Assigner: VulDB

Description

A security vulnerability has been detected in mjperpinosa stumasy up to 327d1b0f2915ba79d7ef8ebb74553e987609d9be. This affects the function add_definition of the file application/PHP/objects/notes/add_into_dictionary.php. Such manipulation of the argument reference leads to cross site scripting. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The project was informed of the problem early through an issue report but has not responded yet.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-05
Last Modified
2026-07-05
Generated
2026-07-05
AI Q&A
2026-07-05
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
mjperpinosa stumasy to 327d1b0f2915ba79d7ef8ebb74553e987609d9be (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CWE-79 The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-14752 is a Stored Cross-Site Scripting (XSS) vulnerability in the mjperpinosa stumasy application. It occurs because user-supplied dictionary references are stored and later rendered back into HTML without proper output encoding or sanitization.

Specifically, the add_definition function stores user input directly into the database without sanitizing the reference field. When the dictionary entry is displayed, the application uses jQuery's .html() method to inject the content into the DOM, which executes any embedded HTML or JavaScript payloads.

An attacker can exploit this by logging in, adding a dictionary entry with a malicious script in the reference field (for example, <svg/onload=alert()>), and when the entry is viewed, the script executes.

Impact Analysis

This vulnerability can lead to several security impacts including:

  • Execution of arbitrary JavaScript in the context of the affected application.
  • Potential theft of user sessions, especially since PHP session cookies lack the HttpOnly flag.
  • Unauthorized actions performed on behalf of users, such as manipulating stored content.
  • Phishing attacks within the application's origin by injecting malicious content.
Detection Guidance

This vulnerability can be detected by attempting to add a dictionary entry with a typical XSS payload in the reference field and then observing if the payload executes when viewing the entry.

For example, an attacker can log in and add a dictionary entry with a payload such as <svg/onload=alert()> in the reference field. If the alert box appears when viewing the entry, the vulnerability is present.

To detect this on your system, you can manually test by adding such payloads or use automated web vulnerability scanners that check for stored XSS in input fields.

There are no specific network commands provided in the resources, but monitoring HTTP requests and responses for unsanitized user input being reflected in HTML without encoding can help identify the issue.

Mitigation Strategies

Immediate mitigation steps include sanitizing and properly encoding all user-supplied input before storing or rendering it in the application.

Specifically, the application should avoid inserting unescaped user input into HTML using methods like jQuery's .html(), and instead use safe methods that do not execute embedded scripts.

Additionally, setting the HttpOnly flag on PHP session cookies can help reduce the impact of session theft via XSS.

Since the project uses rolling releases and no fixed version updates are available yet, consider applying input validation and output encoding patches or workarounds until an official fix is released.

Compliance Impact

The vulnerability is a stored Cross-Site Scripting (XSS) issue that allows execution of arbitrary JavaScript in the context of the affected application. This can lead to session theft, unauthorized account actions, and phishing attacks within the application's origin.

Such security weaknesses can impact compliance with standards like GDPR and HIPAA because they may lead to unauthorized access or disclosure of personal data, compromise user accounts, and undermine data integrity and confidentiality requirements mandated by these regulations.

Specifically, session theft and unauthorized actions could result in exposure or manipulation of personal or sensitive information, which would be a violation of data protection principles under GDPR and HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-14752. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart