PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-15514 Metasoft 美特软件 CVE debrief

A weakness has been identified in Metasoft 美特软件 MetaCRM up to 6.4.0 Beta06. This vulnerability affects the function RPCService.query of the file /customizemt/xkq/rpc.jsp of the component PHPRPC Remote Call Interface. Executing a manipulation of the argument phprpc_args can lead to sql injection. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. Security teams should assess the vulnerability's impact on Metasoft MetaCRM systems and prioritize patching or mitigation efforts accordingly.

Vendor
Metasoft 美特软件
Product
MetaCRM
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-13
Original CVE updated
2026-07-13
Advisory published
2026-07-13
Advisory updated
2026-07-13

Who should care

Security teams and administrators responsible for Metasoft MetaCRM systems should assess and mitigate this SQL injection vulnerability. They should review system configurations, monitor for suspicious activity, and apply patches or updates as soon as available. Additionally, they should consider implementing input validation and sanitization for the phprpc_args argument to prevent SQL injection attacks.

Technical summary

The vulnerability is located in the RPCService.query function of the /customizemt/xkq/rpc.jsp file within the PHPRPC Remote Call Interface component of Metasoft MetaCRM up to 6.4.0 Beta06. By manipulating the phprpc_args argument, an attacker can inject SQL, potentially leading to unauthorized data access or modification. The vulnerability has a CVSS score of 5.5 and is classified as MEDIUM severity.

Defensive priority

Apply vendor patches or updates as soon as available. Implement input validation and sanitization for the phprpc_args argument. Monitor systems for suspicious activity.

Recommended defensive actions

  • Apply patches or updates provided by Metasoft for MetaCRM up to 6.4.0 Beta06.
  • Implement input validation and sanitization for the phprpc_args argument in the RPCService.query function.
  • Monitor systems for suspicious activity, especially SQL injection attempts.
  • Consider compensating controls such as Web Application Firewalls (WAFs) to detect and prevent SQL injection attacks.
  • Conduct regular security audits and vulnerability assessments to identify and address potential weaknesses.

Evidence notes

The CVE record was published on 2026-07-13T00:16:47.390Z and has not been modified since then. The NVD entry is currently in the 'Received' status. Limited information is available about the vendor's response or patches.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-13T00:16:47.390Z and has not been modified since then. The NVD entry is currently in the 'Received' status.