Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
8DescriptionCVE.org
A vulnerability has been found in Metasoft 美特软件 MetaCRM up to 6.4.0. This vulnerability affects the function Statement.executeUpdate of the file sql.jsp of the component Interface. Such manipulation of the argument sql leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
SQL injection in Metasoft MetaCRM versions up to 6.4.0 allows remote unauthenticated attackers to execute arbitrary SQL commands via the 'sql' parameter in sql.jsp interface endpoint. Publicly available exploit code exists (disclosed via Feishu document), enabling attackers to read/modify database contents and potentially execute commands. CVSS 7.3 (High) with network vector and low complexity. Vendor non-responsive to disclosure, leaving patch status uncertain. EPSS data not provided but POC availability elevates practical exploitation risk.
Technical ContextAI
The vulnerability resides in the Statement.executeUpdate method implementation within sql.jsp, an exposed interface component of MetaCRM. CWE-89 (SQL Injection) indicates the application fails to properly sanitize user-supplied input to the 'sql' parameter before passing it to database execution functions. Statement.executeUpdate is a Java JDBC API method designed for executing INSERT, UPDATE, or DELETE SQL statements. When user input is directly concatenated or interpolated into SQL queries without parameterization or validation, attackers can inject malicious SQL syntax to manipulate query logic. The affected product is Metasoft MetaCRM (美特软件 MetaCRM), a Chinese customer relationship management platform. The CPE identifier confirms the vendor and product naming in both English and Chinese characters.
RemediationAI
No vendor-released patch identified at time of analysis due to vendor non-responsiveness to disclosure. IMMEDIATE compensating controls required: (1) Block external access to sql.jsp endpoint via WAF rules or reverse proxy configuration-regex block pattern '/sql\.jsp' on internet-facing interfaces, understanding this may break legitimate admin functions requiring VPN access workaround. (2) Implement strict input validation via WAF: allowlist SQL keywords if sql.jsp serves legitimate parameterized query builder function, or deny all requests containing SQL metacharacters (single quotes, semicolons, comment markers dash-dash/slash-asterisk) in 'sql' parameter-note this breaks dynamic query features. (3) Deploy database activity monitoring to detect unauthorized SELECT/INSERT/UPDATE/DELETE operations originating from MetaCRM application account. (4) Apply principle of least privilege: revoke DROP, CREATE, and EXECUTE permissions from MetaCRM database user to limit injection impact-may affect schema migration features. (5) Consider migrating to alternative CRM platforms given vendor abandonment signals. Monitor VulDB reference https://vuldb.com/vuln/358263 and vendor channels for potential future patch releases.
A vulnerability classified as critical has been found in Metasoft 美特软件 MetaCRM up to 6.4.2. This affects an unknown part
Unrestricted file upload in Metasoft MetaCRM (versions up to 6.4.0 Beta06) allows remote unauthenticated attackers to up
Remote code execution in Metasoft MetaCRM through 6.4.2 allows authenticated remote attackers to execute arbitrary code
Unrestricted file upload in Metasoft MetaCRM up to version 6.4.2 via the mobileupload.jsp endpoint allows authenticated
Unrestricted file upload in Metasoft MetaCRM up to version 6.4.2 allows authenticated remote attackers to upload arbitra
Unrestricted file upload in Metasoft MetaCRM up to version 6.4.2 allows authenticated remote attackers to upload arbitra
Unrestricted file upload in Metasoft MetaCRM up to version 6.4.2 allows authenticated remote attackers to upload arbitra
SQL injection in Metasoft MetaCRM up to version 6.4.2 allows authenticated remote attackers to execute arbitrary SQL com
Unrestricted file upload in Metasoft MetaCRM 6.4.0 allows low-privileged authenticated remote attackers to upload arbitr
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-23824
GHSA-38x4-r8qv-j5v2