Description
MeetingHub developed by HAMASTAR Technology has an Arbitrary File Upload vulnerability, allowing unauthenticated remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server.
Published: 2026-01-22
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary Code Execution
Action: Immediate Patch
AI Analysis

Impact

MeetingHub by HAMASTAR Technology contains an arbitrary file upload weakness that allows unauthenticated remote attackers to upload and execute arbitrary code on the server. The flaw can be exploited by submitting a malicious file to a publicly exposed endpoint, effectively granting the attacker full control over the application environment.

Affected Systems

The vulnerability affects installations of the MeetingHub product from AMASTAR Technology. No specific version range is provided beyond the vendor’s recommendation; the vendor recommends applying the patch released on 20251210 or later to resolve the issue.

Risk and Exploitability

The CVSS base score is 9.3, indicating a high severity vulnerability. The EPSS score is less than 1%, implying a low probability of exploitation in current use. The vulnerability is not listed within the CISA KEV catalog. Attackers can exploit the flaw over the network without authentication, uploading a malicious payload to the vulnerable endpoint and executing it with the privileges of the web application.

Generated by OpenCVE AI on April 18, 2026 at 03:50 UTC.

Remediation

Vendor Solution

Install the patch with version 20251210 or later.

OpenCVE Recommended Actions

  • Install the vendor patch version 20251210 or later immediately.
  • Restrict the file upload capabilities to allow only trusted file types and perform strict MIME type validation.
  • Configure the upload directory so that it does not permit execution of uploaded files and enforce restrictive file permissions.

Generated by OpenCVE AI on April 18, 2026 at 03:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 17 Feb 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Hamastar meetinghub Paperless Meetings
CPEs cpe:2.3:a:hamastar:meetinghub_paperless_meetings:*:*:*:*:*:*:*:*
Vendors & Products Hamastar meetinghub Paperless Meetings

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Hamastar
Hamastar meetinghub
Vendors & Products Hamastar
Hamastar meetinghub

Thu, 22 Jan 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 22 Jan 2026 09:15:00 +0000

Type Values Removed Values Added
Description MeetingHub developed by HAMASTAR Technology has an Arbitrary File Upload vulnerability, allowing unauthenticated remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server.
Title AMASTAR Technology|MeetingHub - Arbitrary File Upload
Weaknesses CWE-434
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Hamastar Meetinghub Meetinghub Paperless Meetings
cve-icon MITRE

Status: PUBLISHED

Assigner: twcert

Published:

Updated: 2026-01-22T15:01:37.784Z

Reserved: 2026-01-22T07:56:35.743Z

Link: CVE-2026-1331

cve-icon Vulnrichment

Updated: 2026-01-22T15:00:25.644Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-22T09:15:52.197

Modified: 2026-02-17T19:32:31.533

Link: CVE-2026-1331

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T04:00:08Z

Weaknesses