CVE Catalog

CVE-2026-14753

HighCVSS 7.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.31%

23th percentile — higher than 23% of all known CVEs

Summary

A vulnerability was found in the Note Handler/Assignment Handler component of stumasy up to commit 327d1b0f, allowing authorization bypass via manipulation of the assignment_item_id argument in /PHP/objects/notes. The attack is remotely exploitable and the exploit is public.

Risk Assessment

The organization is at risk of unauthorized access to note and assignment handling functions, potentially leading to data confidentiality and integrity breaches. Due to the lack of vendor response and public exploit, the risk is high.

Recommendation

Immediately implement temporary mitigations such as restricting access to /PHP/objects/notes and monitoring for suspicious requests. Since no patch is available, consider discontinuing use of the component until an update is released.

Original NVD description (English source)

A vulnerability was detected in mjperpinosa stumasy up to 327d1b0f2915ba79d7ef8ebb74553e987609d9be. This impacts an unknown function of the file /PHP/objects/notes of the component Note Handler/Assignment Handler. Performing a manipulation of the argument assignment_item_id results in authorization bypass. The attack can be initiated remotely. The exploit is now public and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS