Security Advisory - Published 2026-07-06 - PHP / Student Management
stumasy batch: check rolling-release deployments, notes activity, calculator pages, and logs
This batch covers stumasy records in a rolling-release project where fixed version metadata may not be clear. The useful response is inventory, exposure removal, log preservation, and code provenance review.
Affected CVEs in this batch
| CVE | Product | Affected | Review | CVSS |
|---|---|---|---|---|
| CVE-2026-14749 | mjperpinosa stumasy | rolling release | application calculator pages and web logs | 7.5 |
| CVE-2026-14750 | mjperpinosa stumasy | rolling release | notes authorization requests and database logs | 7.5 |
| CVE-2026-14753 | mjperpinosa stumasy | rolling release | notes object requests and application logs | 7.5 |
What to check
- Whether stumasy is installed on a real school, lab, or public demo domain.
- Calculator pages, notes objects, notes authorization flows, and related PHP error logs.
- Student, notes, dictionary, and administrator records changed during the exposure window.
- Repository commit, deployment date, and any local edits made after the code was copied.
Safe fix path
- Take public stumasy deployments offline unless there is a maintained fixed branch.
- Preserve web logs, PHP logs, database logs, and a database snapshot before cleanup.
- Review notes, student records, administrator accounts, and any exported files.
- Replace copied rolling-release code with a maintained student-management system before reopening.
Compromise indicators
- Unexpected access to notes or calculator pages from unknown IP addresses.
- Changed student, notes, or dictionary records without a matching user action.
- New administrator sessions, exports, or database backups outside normal operations.
- Local code edits that are not tracked in a deployment record.
When to ask Ping7 for repair
Use Ping7 CVE Repair when a student-management app is public, records may have changed, or you need to preserve evidence before replacing unsupported code.