PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-8758 Unknown Vendor CVE debrief

CVE-2026-8758 describes a remotely reachable unrestricted file upload issue in Metasoft 美特软件 MetaCRM up to 6.4.0 Beta06. The reported weakness is in /common/jsp/upload3.jsp, where manipulating the File argument can enable arbitrary upload behavior. Because the issue is publicly disclosed and may be exploited, exposed deployments should be treated as a meaningful risk even though the listed CVSS score is MEDIUM.

Vendor
Unknown Vendor
Product
Unknown
CVSS
MEDIUM 5.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-17
Original CVE updated
2026-05-18
Advisory published
2026-05-17
Advisory updated
2026-05-18

Who should care

Administrators, application owners, and security teams responsible for Metasoft 美特软件 MetaCRM deployments, especially any instance that exposes /common/jsp/upload3.jsp to untrusted networks or users.

Technical summary

The supplied record indicates an unrestricted upload condition in an unknown function of /common/jsp/upload3.jsp. The trigger is manipulation of the File parameter, and the attack can be launched remotely. The CNA-provided weakness mapping includes CWE-434 and CWE-284, which is consistent with file upload abuse and access-control weakness. The source description also states that exploit code or a working exploit has been publicly disclosed.

Defensive priority

High for any internet-facing or broadly reachable MetaCRM instance; medium overall only if the affected endpoint is fully isolated and tightly controlled.

Recommended defensive actions

  • Inventory all MetaCRM instances and confirm whether any run a version up to 6.4.0 Beta06.
  • Restrict or disable network access to /common/jsp/upload3.jsp if it is not required.
  • Apply the vendor fix or upgrade path if one becomes available; if no fix is available, implement compensating controls immediately.
  • Harden upload handling by enforcing strict allowlists for file type, extension, and server-side validation.
  • Store uploads outside the web root and prevent execution of uploaded content.
  • Monitor logs for unexpected upload activity, unusual file names, and newly created web-accessible files.
  • Inspect the application and web directories for suspicious files and review for signs of post-upload abuse.
  • If any suspicious uploads are found, treat the host as potentially compromised and investigate for web-shell or persistence activity.

Evidence notes

Primary evidence comes from the supplied NVD-modified CVE record and its CNA references. The record states that CVE-2026-8758 affects Metasoft 美特软件 MetaCRM up to 6.4.0 Beta06, involves /common/jsp/upload3.jsp, and can lead to unrestricted upload through manipulation of the File argument. The supplied source metadata lists CNA references to a Feishu wiki page and VulDB pages, and the record states the exploit has been publicly disclosed and the vendor did not respond to early contact. Official links in the corpus are the CVE.org record and NVD detail page; no additional claims were used.

Official resources

Publicly disclosed; the supplied description says the vendor was contacted early and did not respond.