Description
MeetingHub developed by HAMASTAR Technology has an Arbitrary File Read vulnerability, allowing unauthenticated remote attackers to exploit Absolute Path Traversal to download arbitrary system files.
Published: 2026-01-22
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote File Disclosure
Action: Patch Now
AI Analysis

Impact

An absolute path traversal flaw in MeetingHub allows an unauthenticated remote attacker to read arbitrary files from the underlying system. The vulnerability can be triggered by crafting URLs that reference directories outside the intended file location, enabling disclosure of sensitive configuration and credential files. The impact is primarily confidentiality loss, and the flaw is quantified with a CVSS score of 8.7 indicating high severity.

Affected Systems

HAMASTAR Technology’s MeetingHub is affected. All releases prior to the patch version 20251210 are vulnerable. The patch releases MeetingHub 20251210 or later contain the fix; any earlier versions remain at risk.

Risk and Exploitability

The CVSS base score of 8.7 signals a critical exposure, yet the EPSS score is below 1%, implying a low rate of observed exploitation. The vulnerability is not listed in the CISA KEV catalog, suggesting it has not yet been widely used in the wild. An attacker can exploit the flaw over the network by sending crafted requests without authentication, as no client-side authentication is required to trigger the file read.

Generated by OpenCVE AI on April 18, 2026 at 03:51 UTC.

Remediation

Vendor Solution

Install the patch with version 20251210 or later.

OpenCVE Recommended Actions

  • Upgrade MeetingHub to version 20251210 or later.
  • If immediate upgrade is not possible, isolate the application from public networks or restrict access to trusted hosts only.
  • Implement a web‑application‑firewall rule to block requests that contain path traversal patterns such as "../" or absolute paths.

Generated by OpenCVE AI on April 18, 2026 at 03:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Feb 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Hamastar meetinghub Paperless Meetings
CPEs cpe:2.3:a:hamastar:meetinghub_paperless_meetings:*:*:*:*:*:*:*:*
Vendors & Products Hamastar meetinghub Paperless Meetings

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Hamastar
Hamastar meetinghub
Vendors & Products Hamastar
Hamastar meetinghub

Thu, 22 Jan 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 22 Jan 2026 08:45:00 +0000

Type Values Removed Values Added
Description MeetingHub developed by HAMASTAR Technology has an Arbitrary File Read vulnerability, allowing unauthenticated remote attackers to exploit Absolute Path Traversal to download arbitrary system files.
Title HAMASTAR Technology|MeetingHub - Arbitrary File Read
Weaknesses CWE-36
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Hamastar Meetinghub Meetinghub Paperless Meetings
cve-icon MITRE

Status: PUBLISHED

Assigner: twcert

Published:

Updated: 2026-01-22T15:04:55.209Z

Reserved: 2026-01-22T07:56:34.132Z

Link: CVE-2026-1330

cve-icon Vulnrichment

Updated: 2026-01-22T15:04:49.616Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-22T09:15:51.990

Modified: 2026-02-17T19:31:32.393

Link: CVE-2026-1330

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T04:00:08Z

Weaknesses