CVE-2026-8758 Overview
CVE-2026-8758 is an unrestricted file upload vulnerability in Metasoft (美特软件) MetaCRM versions up to 6.4.0 Beta06. The flaw resides in the /common/jsp/upload3.jsp endpoint, where manipulation of the File parameter allows attackers to upload arbitrary files. The vulnerability falls under [CWE-284] Improper Access Control and can be exploited remotely without authentication. The exploit has been publicly disclosed. According to the disclosure, the vendor was contacted but did not respond.
Critical Impact
Remote, unauthenticated attackers can upload arbitrary files to vulnerable MetaCRM deployments, potentially leading to webshell deployment and full server compromise.
Affected Products
- Metasoft (美特软件) MetaCRM versions up to and including 6.4.0 Beta06
- Deployments exposing the /common/jsp/upload3.jsp endpoint
- Java Server Pages (JSP) based MetaCRM installations
Discovery Timeline
- 2026-05-17 - CVE-2026-8758 published to the National Vulnerability Database (NVD)
- 2026-05-18 - Last updated in NVD database
Technical Details for CVE-2026-8758
Vulnerability Analysis
The vulnerability exists in the /common/jsp/upload3.jsp component of MetaCRM. The endpoint processes file upload requests through the File argument without enforcing adequate restrictions on file type, extension, or content. An attacker submits a crafted HTTP request containing a malicious payload, and the server writes that file to a location within the web application's deployment directory.
Because the application is JSP-based, an attacker who uploads a .jsp file can request it through the web server to achieve server-side code execution. This converts an upload primitive into a full remote code execution path, granting attackers control over the affected host under the privileges of the application server.
The disclosure indicates that the exploit is publicly available and that the vendor did not respond to coordinated disclosure attempts, increasing risk for organizations running affected versions.
Root Cause
The root cause is improper access control combined with missing server-side validation on the upload handler. The upload3.jsp script accepts user-controlled file content via the File parameter without authenticating the caller, restricting allowed file extensions, validating MIME types, or storing uploads outside of executable web paths.
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker sends a multipart HTTP POST request to /common/jsp/upload3.jsp with a crafted File parameter containing a malicious JSP payload. Once the server stores the file in a web-accessible directory, the attacker requests the uploaded file via HTTP to trigger execution.
No verified proof-of-concept code is available in the referenced advisories. Technical details are referenced in the Feishu Security Wiki entry and the VulDB Vulnerability #364385 report.
Detection Methods for CVE-2026-8758
Indicators of Compromise
- HTTP POST requests targeting /common/jsp/upload3.jsp from external or unexpected source addresses
- Newly created .jsp, .jspx, or .war files within MetaCRM upload or web-root directories
- Outbound network connections originating from the MetaCRM application server process to unfamiliar hosts
- Unexpected child processes spawned by the Java application server, such as shells or system utilities
Detection Strategies
- Monitor web server access logs for POST requests to /common/jsp/upload3.jsp and review the File parameter contents
- Apply file integrity monitoring on MetaCRM web directories to flag the creation of new server-executable files
- Inspect web application firewall (WAF) logs for multipart uploads containing JSP-like content or script tags
Monitoring Recommendations
- Alert on process lineage where the Java application server spawns command interpreters such as cmd.exe, bash, or sh
- Track outbound connections from the MetaCRM host to non-corporate destinations and known command-and-control infrastructure
- Review authentication and session logs for anomalous activity following any successful upload event
How to Mitigate CVE-2026-8758
Immediate Actions Required
- Restrict access to /common/jsp/upload3.jsp at the reverse proxy or WAF layer until a vendor fix is available
- Remove or rename upload3.jsp from production deployments if the endpoint is not required by business workflows
- Audit MetaCRM web-accessible directories for unauthorized JSP files and remove any unrecognized artifacts
- Isolate MetaCRM servers from sensitive internal network segments to limit lateral movement potential
Patch Information
No vendor patch is currently available. The VulDB advisory notes that Metasoft did not respond to disclosure attempts. Organizations should track the VulDB Vulnerability #364385 record and the Feishu Security Wiki reference for updates, and contact Metasoft directly for remediation guidance.
Workarounds
- Deploy WAF rules that block multipart upload requests to /common/jsp/upload3.jsp containing executable script content or .jsp extensions in the filename field
- Configure the application server to deny execution of JSP files within upload destination directories using container-level security constraints
- Place MetaCRM behind authenticated reverse proxy access and enforce IP allowlisting for administrative paths
- Disable directory write permissions for the application server user on any path that is also web-executable
# Example: block requests to the vulnerable endpoint at an Nginx reverse proxy
location = /common/jsp/upload3.jsp {
deny all;
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
