SQL Injection Flaw in MetaCRM Exposes Systems to Remote Attack

/HIGH /CVSS 7.3/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvehigh-severitysql-injectioncwe-74cwe-89
SQL Injection Flaw in MetaCRM Exposes Systems to Remote Attack

The National Vulnerability Database has disclosed CVE-2026-6629, a critical SQL injection vulnerability impacting Metasoft’s MetaCRM software up to version 6.4.0. Attackers can exploit this flaw remotely by manipulating arguments within the Statement.executeUpdate function in sql.jsp, leading to unauthorized data access or modification. The vendor was notified but failed to respond, leaving users exposed.

This vulnerability, rated High with a CVSS score of 7.3, allows unauthenticated attackers to inject malicious SQL code. Given the lack of vendor response, organizations relying on MetaCRM must assume this vulnerability is actively exploitable and may already be in the wild. The absence of specific affected product details from the NVD report means any deployment of MetaCRM 6.4.0 or earlier should be considered at risk.

What This Means For You

  • If your organization uses Metasoft MetaCRM version 6.4.0 or earlier, immediately audit your systems. Since the vendor has not responded to disclosures, you cannot rely on a patch. Focus on network segmentation to isolate MetaCRM instances and review access logs for any unusual activity indicative of SQL injection attempts.

Related ATT&CK Techniques

T1190 Exploit Public-Facing Application Initial Access T1505.003 Server Software Component Initial Access T1189 Drive-by Compromise Initial Access

🛡️ Detection Rules

1 rule · 6 SIEM formats

1 detection rule mapped to MITRE ATT&CK. Sigma YAML is free — copy below.

critical T1190 Initial Access

CVE-2026-6629 MetaCRM sql.jsp SQL Injection

Sigma YAML — free preview

Indicators of Compromise

IDTypeIndicator
CVE-2026-6629 SQLi Metasoft 美特软件 MetaCRM up to 6.4.0
CVE-2026-6629 SQLi sql.jsp::Statement.executeUpdate (component: Interface)
CVE-2026-6629 SQLi Manipulation of argument 'sql'

Written by SCW Vulnerability Desk

Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedApril 20, 2026 at 14:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related Posts

Oracle's April CPU: 450 Patches, Over 300 Remote, Unauthenticated Flaws

Oracle has dropped its April Critical Patch Update (CPU), delivering a significant batch of 481 security fixes across 28 product families. Of particular concern are...

threat-intelvulnerabilitycloudtools
/SCW Vulnerability Desk /MEDIUM /⚑ 2 IOCs /⚙ 3 Sigma

Telerik UI for AJAX RadFilter Vulnerable to RCE via Deserialization

CVE-2026-6023 — In Progress® Telerik® UI for AJAX versions 2024.4.1114 through 2026.1.421, the RadFilter control is vulnerable to insecure deserialization when restoring filter state if...

vulnerabilityCVEhigh-severityremote-code-executioncwe-502
/SCW Vulnerability Desk /HIGH /8.1 /⚑ 1 IOC /⚙ 3 Sigma

Telerik UI Vulnerability Allows Disk Space Exhaustion Attacks

CVE-2026-6022 — In Progress® Telerik® UI for AJAX prior to 2026.1.421, RadAsyncUpload contains an uncontrolled resource consumption vulnerability that allows file uploads to exceed the...

vulnerabilityCVEhigh-severitycwe-400
/SCW Vulnerability Desk /HIGH /7.5 /⚑ 1 IOC /⚙ 2 Sigma