PatchSiren cyber security CVE debrief
CVE-2026-15514 Metasoft 美特软件 CVE debrief
A weakness has been identified in Metasoft 美特软件 MetaCRM up to 6.4.0 Beta06. This vulnerability affects the function RPCService.query of the file /customizemt/xkq/rpc.jsp of the component PHPRPC Remote Call Interface. Executing a manipulation of the argument phprpc_args can lead to sql injection. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. Security teams should assess the vulnerability's impact on Metasoft MetaCRM systems and prioritize patching or mitigation efforts accordingly.
- Vendor
- Metasoft 美特软件
- Product
- MetaCRM
- CVSS
- MEDIUM 5.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-13
- Original CVE updated
- 2026-07-13
- Advisory published
- 2026-07-13
- Advisory updated
- 2026-07-13
Who should care
Security teams and administrators responsible for Metasoft MetaCRM systems should assess and mitigate this SQL injection vulnerability. They should review system configurations, monitor for suspicious activity, and apply patches or updates as soon as available. Additionally, they should consider implementing input validation and sanitization for the phprpc_args argument to prevent SQL injection attacks.
Technical summary
The vulnerability is located in the RPCService.query function of the /customizemt/xkq/rpc.jsp file within the PHPRPC Remote Call Interface component of Metasoft MetaCRM up to 6.4.0 Beta06. By manipulating the phprpc_args argument, an attacker can inject SQL, potentially leading to unauthorized data access or modification. The vulnerability has a CVSS score of 5.5 and is classified as MEDIUM severity.
Defensive priority
Apply vendor patches or updates as soon as available. Implement input validation and sanitization for the phprpc_args argument. Monitor systems for suspicious activity.
Recommended defensive actions
- Apply patches or updates provided by Metasoft for MetaCRM up to 6.4.0 Beta06.
- Implement input validation and sanitization for the phprpc_args argument in the RPCService.query function.
- Monitor systems for suspicious activity, especially SQL injection attempts.
- Consider compensating controls such as Web Application Firewalls (WAFs) to detect and prevent SQL injection attacks.
- Conduct regular security audits and vulnerability assessments to identify and address potential weaknesses.
Evidence notes
The CVE record was published on 2026-07-13T00:16:47.390Z and has not been modified since then. The NVD entry is currently in the 'Received' status. Limited information is available about the vendor's response or patches.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-13T00:16:47.390Z and has not been modified since then. The NVD entry is currently in the 'Received' status.