📄 Description (English)
A vulnerability was found in mjperpinosa stumasy. The affected element is an unknown function of the file application/PHP/objects/updates/add_post.php. Performing a manipulation of the argument up_file_to_post results in unrestricted upload. The attack may be initiated remotely. The exploit has been made public and could be used. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The project was informed of the problem early through an issue report but has not responded yet.
🤖 AI Executive Summary
CVE-2026-10806 is a medium-severity arbitrary file upload vulnerability in mjperpinosa stumasy affecting the add_post.php file. The vulnerability allows remote attackers to upload unrestricted files by manipulating the up_file_to_post parameter, potentially leading to remote code execution. With public exploit availability and no patch currently available, this poses an immediate risk to organizations using this software.
📄 Description (Arabic)
🤖 AI Intelligence Analysis Analyzed: Jun 4, 2026 18:16
🇸🇦 Saudi Arabia Impact Assessment
This vulnerability primarily impacts Saudi organizations using mjperpinosa stumasy for content management or web applications. Most at-risk sectors include: Government agencies (NCA, CITC) using this platform for public-facing services; Media and Publishing organizations; Educational institutions; and Small-to-medium enterprises (SMEs) using this CMS. The unrestricted file upload capability could enable attackers to deploy malware, establish persistence, or exfiltrate sensitive data. Given Saudi Arabia's increasing digital transformation initiatives, compromised government or educational portals could have significant reputational and operational impact.
🏢 Affected Saudi Sectors
Government
Education
Media and Publishing
Small-to-Medium Enterprises
Content Management Services
🎯 MITRE ATT&CK Techniques
⚖️ Saudi Risk Score (AI)
7.2
/ 10.0
🔧 Remediation Steps (English)
Immediate Actions:
1. Identify all systems running mjperpinosa stumasy and document versions/deployment locations
2. Implement Web Application Firewall (WAF) rules to block requests to application/PHP/objects/updates/add_post.php containing suspicious up_file_to_post parameters
3. Restrict file upload functionality at the application level - whitelist only safe file extensions (.jpg, .png, .pdf)
4. Implement strict file type validation using MIME type checking and magic number verification
5. Store uploaded files outside the web root directory with execute permissions disabled
6. Monitor upload directories for suspicious file activity
Compensating Controls:
7. Disable the add_post.php functionality entirely if not critical to operations
8. Implement IP-based access controls limiting upload functionality to trusted networks
9. Enable detailed logging and alerting on all file upload attempts
10. Conduct immediate security assessment of uploaded files for malicious content
11. Monitor for indicators of compromise (IOCs) related to this CVE
12. Contact mjperpinosa stumasy project for security advisory and timeline for patch release
Detection Rules:
- Alert on POST requests to add_post.php with up_file_to_post parameter containing executable extensions (.php, .exe, .sh, .jsp)
- Monitor for unusual file uploads with double extensions or null byte injection attempts
- Track failed and successful file uploads with timestamps and source IPs
🔧 خطوات المعالجة (العربية)
الإجراءات الفورية:
1. تحديد جميع الأنظمة التي تعمل بـ mjperpinosa stumasy وتوثيق الإصدارات ومواقع النشر
2. تطبيق قواعد جدار حماية تطبيقات الويب (WAF) لحظر الطلبات إلى add_post.php التي تحتوي على معاملات up_file_to_post مريبة
3. تقييد وظيفة تحميل الملفات على مستوى التطبيق - إدراج الامتدادات الآمنة فقط في القائمة البيضاء
4. تطبيق التحقق الصارم من نوع الملف باستخدام فحص نوع MIME والتحقق من رقم السحر
5. تخزين الملفات المرفوعة خارج دليل الويب مع تعطيل أذونات التنفيذ
6. مراقبة أدلة التحميل للنشاط المريب
الضوابط البديلة:
7. تعطيل وظيفة add_post.php بالكامل إذا لم تكن حرجة للعمليات
8. تطبيق ضوابط الوصول القائمة على عناوين IP لتقييد وظيفة التحميل للشبكات الموثوقة
9. تفعيل السجلات التفصيلية والتنبيهات على جميع محاولات تحميل الملفات
10. إجراء تقييم أمني فوري للملفات المرفوعة للكشف عن المحتوى الضار
11. مراقبة مؤشرات الاختراق المتعلقة بهذه الثغرة
12. التواصل مع مشروع mjperpinosa stumasy للحصول على استشارة أمنية وجدول زمني لإصدار التصحيح
📋 Regulatory Compliance Mapping
🟢 NCA ECC 2024
ECC 2024 A.14.2.1 - Information security requirements in supplier relationships
ECC 2024 A.12.6.1 - Management of technical vulnerabilities
ECC 2024 A.12.3.1 - Segregation of networks
ECC 2024 A.14.1.1 - Information security policy
🔵 SAMA CSF
ID.RA-1 - Asset management and vulnerability identification
PR.DS-6 - Data integrity and protective monitoring
DE.CM-1 - Detection and analysis of anomalies
RS.RP-1 - Response planning and procedures
🟡 ISO 27001:2022
A.12.6.1 - Management of technical vulnerabilities
A.14.2.1 - Supplier security requirements
A.8.1.1 - User endpoint devices
A.13.1.3 - Segregation of networks
🟣 PCI DSS v4.0.1
Requirement 6.2 - Security patches and updates
Requirement 6.5.8 - Improper access control
Requirement 11.2 - Vulnerability scanning
🔗 References & Sources 6
🔗
🔗
🔗
🔗
🔗
🔗
https://github.com/mjperpinosa/stumasy/
cna@vuldb.com
https://github.com/mjperpinosa/stumasy/issues/1
cna@vuldb.com
https://vuldb.com/cve/CVE-2026-10806
cna@vuldb.com
https://vuldb.com/submit/831510
cna@vuldb.com
https://vuldb.com/vuln/368254
cna@vuldb.com
https://vuldb.com/vuln/368254/cti
cna@vuldb.com