CVE-2026-6629 Overview
A SQL injection vulnerability has been discovered in Metasoft 美特软件 MetaCRM versions up to 6.4.0. This vulnerability affects the Statement.executeUpdate function within the sql.jsp file of the Interface component. Attackers can exploit this flaw by manipulating the sql argument to inject malicious SQL commands. The vulnerability is remotely exploitable, and exploit details have been publicly disclosed.
Critical Impact
This SQL injection vulnerability allows unauthenticated remote attackers to execute arbitrary SQL commands against the backend database, potentially leading to data exfiltration, data manipulation, or complete database compromise.
Affected Products
- Metasoft 美特软件 MetaCRM up to version 6.4.0
Discovery Timeline
- April 20, 2026 - CVE-2026-6629 published to NVD
- April 22, 2026 - Last updated in NVD database
Technical Details for CVE-2026-6629
Vulnerability Analysis
This vulnerability is classified as CWE-74 (Improper Neutralization of Special Elements in Output Used by a Downstream Component), which encompasses injection flaws including SQL injection. The vulnerable endpoint sql.jsp directly processes user-supplied input through the sql parameter without proper sanitization or parameterized queries. This allows an attacker to inject SQL statements that are executed with the privileges of the database connection used by the application.
The vendor was contacted regarding this vulnerability but did not respond to the disclosure, leaving users potentially exposed without an official patch or mitigation guidance.
Root Cause
The root cause of this vulnerability lies in the improper handling of user input in the sql.jsp file. The application directly incorporates the sql parameter value into database queries via Statement.executeUpdate without implementing proper input validation, sanitization, or parameterized prepared statements. This design flaw allows malicious SQL syntax to pass through and be executed by the database engine.
Attack Vector
The attack can be launched remotely over the network without requiring authentication. An attacker can craft malicious HTTP requests to the vulnerable sql.jsp endpoint, injecting SQL commands through the sql parameter. The exploitation requires no user interaction and can be automated for large-scale attacks.
The vulnerability manifests in the Statement.executeUpdate function where unsanitized input is processed. The malicious SQL payload is passed directly to the database engine, allowing attackers to perform operations such as extracting sensitive data, modifying records, or potentially escalating privileges within the database system. Technical details and exploit information have been documented in the VulDB Vulnerability Entry.
Detection Methods for CVE-2026-6629
Indicators of Compromise
- HTTP requests to sql.jsp containing SQL keywords such as UNION, SELECT, INSERT, UPDATE, DELETE, or DROP in the sql parameter
- Unusual database queries or errors in application logs originating from the Interface component
- Unexpected database modifications or data exfiltration patterns
Detection Strategies
- Implement Web Application Firewall (WAF) rules to detect and block SQL injection patterns targeting the sql.jsp endpoint
- Monitor web server access logs for suspicious requests containing SQL syntax in query parameters
- Deploy database activity monitoring to identify anomalous query patterns or unauthorized data access
Monitoring Recommendations
- Enable detailed logging for the MetaCRM application, particularly for the Interface component and database interactions
- Set up alerts for failed login attempts or SQL errors that may indicate injection attempts
- Conduct regular database integrity checks to detect unauthorized modifications
How to Mitigate CVE-2026-6629
Immediate Actions Required
- Restrict network access to the MetaCRM application to trusted IP addresses only
- Disable or remove the sql.jsp endpoint if it is not required for business operations
- Implement a Web Application Firewall with SQL injection protection rules
- Review and audit database user permissions to minimize the impact of potential exploitation
Patch Information
No official patch is currently available from the vendor. The vendor was contacted regarding this disclosure but did not respond. Organizations using MetaCRM should monitor for any security updates from Metasoft and apply patches immediately when available.
Workarounds
- Block external access to the sql.jsp endpoint using network security controls or reverse proxy configuration
- Implement input validation at the application layer to sanitize the sql parameter
- Apply the principle of least privilege to database accounts used by the application
- Consider deploying a virtual patching solution through WAF rules until an official fix is released
# Example: Block access to vulnerable endpoint via nginx
location /sql.jsp {
deny all;
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
