Skip to main content

Metacrm EUVDEUVD-2026-23824

| CVE-2026-6629 MEDIUM
SQL Injection (CWE-89)
2026-04-20 VulDB GHSA-38x4-r8qv-j5v2
5.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

8
CVSS changed
Apr 29, 2026 - 01:12 NVD
6.9 (MEDIUM) 5.5 (MEDIUM)
PoC Detected
Apr 29, 2026 - 01:00 vuln.today
Public exploit code
Severity Changed
Apr 20, 2026 - 11:22 NVD
HIGH MEDIUM
CVSS changed
Apr 20, 2026 - 11:22 NVD
7.3 (HIGH) 6.9 (MEDIUM)
Analysis Generated
Apr 20, 2026 - 11:05 vuln.today
EUVD ID Assigned
Apr 20, 2026 - 10:45 euvd
EUVD-2026-23824
Analysis Generated
Apr 20, 2026 - 10:45 vuln.today
CVE Published
Apr 20, 2026 - 10:15 nvd
MEDIUM 5.5

DescriptionCVE.org

A vulnerability has been found in Metasoft 美特软件 MetaCRM up to 6.4.0. This vulnerability affects the function Statement.executeUpdate of the file sql.jsp of the component Interface. Such manipulation of the argument sql leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

SQL injection in Metasoft MetaCRM versions up to 6.4.0 allows remote unauthenticated attackers to execute arbitrary SQL commands via the 'sql' parameter in sql.jsp interface endpoint. Publicly available exploit code exists (disclosed via Feishu document), enabling attackers to read/modify database contents and potentially execute commands. CVSS 7.3 (High) with network vector and low complexity. Vendor non-responsive to disclosure, leaving patch status uncertain. EPSS data not provided but POC availability elevates practical exploitation risk.

Technical ContextAI

The vulnerability resides in the Statement.executeUpdate method implementation within sql.jsp, an exposed interface component of MetaCRM. CWE-89 (SQL Injection) indicates the application fails to properly sanitize user-supplied input to the 'sql' parameter before passing it to database execution functions. Statement.executeUpdate is a Java JDBC API method designed for executing INSERT, UPDATE, or DELETE SQL statements. When user input is directly concatenated or interpolated into SQL queries without parameterization or validation, attackers can inject malicious SQL syntax to manipulate query logic. The affected product is Metasoft MetaCRM (美特软件 MetaCRM), a Chinese customer relationship management platform. The CPE identifier confirms the vendor and product naming in both English and Chinese characters.

RemediationAI

No vendor-released patch identified at time of analysis due to vendor non-responsiveness to disclosure. IMMEDIATE compensating controls required: (1) Block external access to sql.jsp endpoint via WAF rules or reverse proxy configuration-regex block pattern '/sql\.jsp' on internet-facing interfaces, understanding this may break legitimate admin functions requiring VPN access workaround. (2) Implement strict input validation via WAF: allowlist SQL keywords if sql.jsp serves legitimate parameterized query builder function, or deny all requests containing SQL metacharacters (single quotes, semicolons, comment markers dash-dash/slash-asterisk) in 'sql' parameter-note this breaks dynamic query features. (3) Deploy database activity monitoring to detect unauthorized SELECT/INSERT/UPDATE/DELETE operations originating from MetaCRM application account. (4) Apply principle of least privilege: revoke DROP, CREATE, and EXECUTE permissions from MetaCRM database user to limit injection impact-may affect schema migration features. (5) Consider migrating to alternative CRM platforms given vendor abandonment signals. Monitor VulDB reference https://vuldb.com/vuln/358263 and vendor channels for potential future patch releases.

Share

EUVD-2026-23824 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy