CVE-2026-10807
Description
Unrestricted file upload in stumasy's profile image feature allows remote code execution by forging MIME types.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unrestricted file upload in stumasy's profile image feature allows remote code execution by forging MIME types.
Vulnerability
The mjperpinosa stumasy application contains a vulnerability in application/PHP/objects/profiles/change_profile_image.php that allows for unrestricted file uploads. The script attempts to validate uploaded files by checking if the client-supplied MIME type or file extension is in a whitelist using an OR condition. This allows an attacker to bypass validation by providing a whitelisted MIME type (e.g., image/png) while using a malicious file extension (e.g., .php). The affected product operates on a rolling release basis, so specific version details are not available.
Exploitation
An attacker can exploit this vulnerability remotely without authentication. The attack involves sending a multipart POST request to change_profile_image.php with the file field pr_profile_image. The attacker must forge the Content-Type header to a whitelisted MIME type, such as image/png, while uploading a file with a .php extension (e.g., avatar.php). The server will save the file with a randomized name but retain the .php extension, making it executable.
Impact
Successful exploitation of this vulnerability leads to remote code execution (RCE) on the server. The server responds with the generated filename, allowing the attacker to immediately access and execute the uploaded PHP script. This grants the attacker the privileges of the web server process.
Mitigation
This product operates on a rolling release basis, and specific version details for affected or updated releases are not provided. The project was informed of the issue early but has not yet responded. No patched version or workaround is currently available in the provided references. The project was informed of the problem early through an issue report but has not responded yet [1].
AI Insight generated on Jun 4, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The file upload validation logic uses an OR condition, allowing an attacker to bypass checks by manipulating the Content-Type header."
Attack vector
An attacker can remotely exploit this vulnerability by sending a multipart POST request to `change_profile_image.php`. The request must include a file with a malicious extension (e.g., .php) but with a forged Content-Type header set to an allowed MIME type, such as `image/png` [ref_id=1]. This bypasses the validation, and the script is saved with its original extension in a web-accessible directory [ref_id=1]. The attacker can then access the uploaded script directly to achieve remote code execution [ref_id=1].
Affected code
The vulnerability resides in the file `application/PHP/objects/profiles/change_profile_image.php`, specifically in lines 4-13. The script's validation logic, which checks the file's MIME type or extension using an OR condition, is flawed [ref_id=1]. The `move_uploaded_file` function is used to save the file to `../../../../documents/images/` [ref_id=1].
What the fix does
The advisory does not provide a patch or specific remediation steps. It indicates that the project was informed of the problem but has not yet responded. Therefore, no fix explanation can be provided.
Preconditions
- authThe attacker needs to be authenticated to the system to upload a profile image.
- inputThe attacker must be able to control the Content-Type header of the HTTP request.
Reproduction
1. Create a minimal PHP web shell (e.g., `<?php system($_GET['cmd']); ?>`) and save it as `avatar.php`. 2. Send a multipart POST request to `/application/PHP/objects/profiles/change_profile_image.php` with the file field `pr_profile_image`. Forge the MIME type in the request header to `image/png` while keeping the filename as `avatar.php` [ref_id=1]. 3. The server will respond with a randomized filename (e.g., `1585712053.php`) [ref_id=1]. 4. Access the uploaded file via `http://<host>/documents/images/<randomized_filename>.php?cmd=ls` to confirm remote code execution [ref_id=1].
Generated on Jun 4, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5News mentions
0No linked articles in our index yet.