Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
A vulnerability was determined in Metasoft 美特软件 MetaCRM up to 6.4.0 Beta06. This impacts an unknown function of the file /common/jsp/upload3.jsp. Executing a manipulation of the argument File can lead to unrestricted upload. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
AnalysisAI
Unrestricted file upload in Metasoft MetaCRM (versions up to 6.4.0 Beta06) allows remote unauthenticated attackers to upload arbitrary files via the /common/jsp/upload3.jsp endpoint. A publicly disclosed exploit exists (CVSS E:P), enabling attackers to upload malicious files without authentication (PR:N), potentially leading to remote code execution. The vendor did not respond to coordinated disclosure, leaving users vulnerable. EPSS data not available, but the combination of network accessibility, no authentication requirement, and public exploit code indicates elevated real-world risk despite the moderate 5.5 CVSS score.
Technical ContextAI
This is a CWE-434 (Unrestricted Upload of File with Dangerous Type) vulnerability in a JavaServer Pages (JSP) file upload handler. The affected component is /common/jsp/upload3.jsp in Metasoft's MetaCRM customer relationship management system. The vulnerability stems from inadequate validation of the 'File' parameter, allowing attackers to bypass file type restrictions and upload files with arbitrary extensions or content. JSP applications commonly use upload handlers for document management or image processing, but when these handlers fail to properly validate file type, size, and content, attackers can upload web shells (JSP, WAR files) or executable payloads. The CPE string (cpe:2.3:a:metasoft_美特软件:metacrm) identifies this as affecting Metasoft's MetaCRM product line, with confirmed impact through version 6.4.0 Beta06.
RemediationAI
No vendor-released patch has been confirmed as Metasoft did not respond to disclosure. Organizations running MetaCRM 6.4.0 Beta06 or earlier should immediately implement the following compensating controls in priority order: First, block all external network access to /common/jsp/upload3.jsp and /common/jsp/* paths at the web application firewall or reverse proxy level - this prevents remote exploitation but may break legitimate upload functionality for internal users. Second, if upload functionality is required, implement strict authentication and authorization checks before the vulnerable endpoint, limiting access to only trusted authenticated users - this reduces attack surface but does not fix the underlying validation flaw. Third, deploy file upload restrictions at the web server or application server level, allowing only explicitly safe file extensions (PDF, PNG, JPG) and enforcing MIME type validation - note this is bypassable with crafted files and should not be sole protection. Fourth, isolate the MetaCRM application in a segregated network segment with egress filtering to limit post-exploitation impact. Monitor for unusual file uploads or JSP/WAR files appearing in upload directories. Trade-offs: blocking the endpoint may disrupt business workflows dependent on file uploads; authentication requirements may conflict with existing integrations; file type restrictions can be bypassed by sophisticated attackers. Given vendor non-responsiveness, consider migrating to actively maintained CRM alternatives. For detailed exploit indicators, consult the public POC at https://ucn9h68n9289.feishu.cn/wiki/XmoNwpJjJiQrBtkLMitccF56ntb and VulDB CTI at https://vuldb.com/vuln/364385/cti.
A vulnerability classified as critical has been found in Metasoft 美特软件 MetaCRM up to 6.4.2. This affects an unknown part
SQL injection in Metasoft MetaCRM versions up to 6.4.0 allows remote unauthenticated attackers to execute arbitrary SQL
Remote code execution in Metasoft MetaCRM through 6.4.2 allows authenticated remote attackers to execute arbitrary code
Unrestricted file upload in Metasoft MetaCRM up to version 6.4.2 via the mobileupload.jsp endpoint allows authenticated
Unrestricted file upload in Metasoft MetaCRM up to version 6.4.2 allows authenticated remote attackers to upload arbitra
Unrestricted file upload in Metasoft MetaCRM up to version 6.4.2 allows authenticated remote attackers to upload arbitra
Unrestricted file upload in Metasoft MetaCRM up to version 6.4.2 allows authenticated remote attackers to upload arbitra
SQL injection in Metasoft MetaCRM up to version 6.4.2 allows authenticated remote attackers to execute arbitrary SQL com
Unrestricted file upload in Metasoft MetaCRM 6.4.0 allows low-privileged authenticated remote attackers to upload arbitr
Same technique File Upload
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-30705
GHSA-65gp-g5gj-7rfh