CVE-2026-8758

7.3 HIGH

A vulnerability was determined in Metasoft 美特软件 MetaCRM up to 6.4.0 Beta06

Published: 2026-05-17 · Last updated: 2026-05-18

Severity and scoring

CVSS: 7.3 HIGH
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CWE: CWE-284, CWE-434

Description

A vulnerability was determined in Metasoft 美特软件 MetaCRM up to 6.4.0 Beta06. This impacts an unknown function of the file /common/jsp/upload3.jsp. Executing a manipulation of the argument File can lead to unrestricted upload. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-8758
[Other]https://ucn9h68n9289.feishu.cn/wiki/XmoNwpJjJiQrBtkLMitccF56ntb
[Other]https://vuldb.com/submit/811283
[Other]https://vuldb.com/vuln/364385
[Other]https://vuldb.com/vuln/364385/cti

Related CVEs

Same CWE

CVE-2026-40750 — Unrestricted Upload of File with Dangerous Type vulnerability in themagnifico52 Kids Online Store allows Upload a Web Shell to a Web Server (9.9 CRITICAL)
CVE-2026-6933 — The Premmerce Dev Tools plugin for WordPress is vulnerable to Remote Code Execution via missing authorization in versions up to and inclu... (8.8 HIGH)
CVE-2026-47261 — Wasmtime is a runtime for WebAssembly (7.5 HIGH)
CVE-2026-40772 — Unauthenticated Arbitrary File Upload in GeekyBot <= 1.2.2 versions (10.0 CRITICAL)
CVE-2026-39591 — Subscriber Arbitrary File Upload in WP-BusinessDirectory <= 4.0.0 versions (9.9 CRITICAL)