Description
A vulnerability was determined in Metasoft 美特软件 MetaCRM up to 6.4.0 Beta06. This impacts an unknown function of the file /common/jsp/upload3.jsp. Executing a manipulation of the argument File can lead to unrestricted upload. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
Published: 2026-05-17
Score: 6.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the upload3.jsp page of Metasoft 美特软件 MetaCRM and allows an attacker to upload any file type because the File argument is not validated. The flaw exposes a classic unrestricted upload weakness that can be abused to place executable or malicious content on the server. The damage ranges from file system contamination to potential execution of scripts if placed in a web-accessible directory, thereby threatening confidentiality and integrity of the application.

Affected Systems

All installations of Metasoft 美特软件 MetaCRM up to and including version 6.4.0 Beta06 are affected. The specific endpoint, /common/jsp/upload3.jsp, is responsible for handling file uploads and is the target of the exploit. No later versions were mentioned as unaffected in the provided data.

Risk and Exploitability

The CVSS score of 6.9 indicates moderate severity, and the EPSS score is not available, suggesting limited data on recent exploit activity. The vulnerability is not listed in CISA KEV, but it has been publicly disclosed and is acknowledged as exploitable. Attackers can launch the exploit remotely by sending a crafted request to the upload3.jsp endpoint, thereby achieving unrestricted uploads without user interaction.

Generated by OpenCVE AI on May 17, 2026 at 15:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Remove or block the /common/jsp/upload3.jsp page from public access via firewall or URL filtering so that no remote requests can reach it.
  • If file upload functionality is required, enforce strict file type validation by checking extensions, MIME types, and file signatures server‑side; reject any unsupported or dangerous formats.
  • Apply role‑based access controls so that only authenticated and authorized users can invoke the upload endpoint, and log all upload attempts for audit and monitoring.

Generated by OpenCVE AI on May 17, 2026 at 15:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sun, 17 May 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Metasoft
Metasoft metacrm
Vendors & Products Metasoft
Metasoft metacrm

Sun, 17 May 2026 14:00:00 +0000

Type Values Removed Values Added
Description A vulnerability was determined in Metasoft 美特软件 MetaCRM up to 6.4.0 Beta06. This impacts an unknown function of the file /common/jsp/upload3.jsp. Executing a manipulation of the argument File can lead to unrestricted upload. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
Title Metasoft 美特软件 MetaCRM upload3.jsp unrestricted upload
First Time appeared Metasoft
Metasoft metacrm
Weaknesses CWE-284
CWE-434
CPEs cpe:2.3:a:metasoft_:metacrm:*:*:*:*:*:*:*:*
Vendors & Products Metasoft
Metasoft metacrm
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Metasoft Metacrm
Metasoft Metacrm
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-05-17T13:45:36.564Z

Reserved: 2026-05-16T17:41:11.004Z

Link: CVE-2026-8758

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-17T14:16:22.327

Modified: 2026-05-17T14:16:22.327

Link: CVE-2026-8758

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-17T16:45:05Z

Weaknesses