CVE-2026-10806
Description
Unrestricted file upload in stumasy's add_post.php allows remote code execution by forging MIME types and using .php extensions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unrestricted file upload in stumasy's add_post.php allows remote code execution by forging MIME types and using .php extensions.
Vulnerability
A vulnerability exists in the file attachment upload functionality within application/PHP/objects/updates/add_post.php in mjperpinosa stumasy. The issue stems from an insufficient validation of uploaded files, where the check relies on a logical OR condition for MIME types and file extensions. This allows an attacker to bypass security checks by providing a malicious PHP file with a forged MIME type (e.g., application/pdf) while retaining a .php extension.
Exploitation
An attacker can initiate this attack remotely by crafting a multipart POST request to add_post.php. They need to set the file field to a malicious PHP web shell, forge the Content-Type header to a whitelisted MIME type like application/pdf, and ensure the filename ends with .php. The server will then move the file to a web-accessible directory, such as ../../../../documents/files/, using the provided filename.
Impact
Upon successful exploitation, an attacker can achieve Remote Code Execution (RCE) on the server. By accessing the uploaded PHP file directly via its URL (e.g., http://target.com/documents/files/shell.php), the attacker's code will be executed with the privileges of the web server process.
Mitigation
This product uses a rolling release model, and specific version information for affected or updated releases is not available. The project was informed of the problem early through an issue report [1], but as of the available references, no patch or specific mitigation details have been publicly disclosed by the developers. The project has not responded to the issue report [1, 2].
AI Insight generated on Jun 4, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The application fails to properly validate uploaded files, allowing arbitrary code execution."
Attack vector
An attacker can upload a malicious PHP file by forging its MIME type to a whitelisted value, such as 'application/pdf', while ensuring the file has a .php extension. The application checks the MIME type and file extension using an OR condition, meaning only one needs to be satisfied. The uploaded file is then saved to a web-accessible directory without proper sanitization of the filename, enabling remote code execution when the file is accessed directly [ref_id=1].
Affected code
The vulnerability resides in the `add_post.php` file, specifically within the post attachment upload functionality. The code checks the uploaded file's MIME type and extension against a whitelist using an OR condition. The `move_uploaded_file` function then saves the file to `../../../../documents/files/` using the original filename, which is not sanitized [ref_id=1].
What the fix does
The advisory does not specify a patch or provide details on how the vulnerability is fixed. The project was informed of the problem but has not responded. Therefore, no remediation guidance is available.
Preconditions
- authThe attacker needs to be authenticated with privileges to upload posts.
- inputThe attacker must provide a crafted file with a forged MIME type and a .php extension.
Reproduction
Craft a PHP web shell. Use curl or an HTTP client to send a multipart POST request to `/application/PHP/objects/updates/add_post.php`. Set the `up_file_to_post` field to the PHP shell, forge the `Content-Type` to `application/pdf`, and provide a filename ending in `.php` (e.g., `shell.php`). Access the uploaded file via `http://target.com/documents/files/shell.php` to execute the code [ref_id=1].
Generated on Jun 4, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5News mentions
0No linked articles in our index yet.