CVE-2026-15514
Metasoft · MetaCRM
Metasoft MetaCRM version 6.4.0 Beta06 contains a SQL injection vulnerability that allows unauthenticated remote attackers to execute arbitrary database commands.
Executive summary
A critical SQL injection vulnerability in Metasoft MetaCRM 6.4.0 Beta06 poses a significant risk of unauthorized data access and system compromise by unauthenticated attackers.
Vulnerability
This vulnerability is a SQL injection (CWE-89) flaw resulting from improper neutralization of special elements in input parameters. The vulnerability is accessible to unauthenticated remote attackers via network vectors.
Business impact
The ability to perform SQL injection allows an attacker to bypass authentication and access sensitive CRM data, potentially leading to a major data breach. With a CVSS score of 7.3, this vulnerability requires urgent remediation to protect the confidentiality and integrity of customer and business information stored within the CRM.
Remediation
Immediate Action: Verify if a production-ready update is available beyond the Beta version. If the software is currently in use, isolate the system from public-facing networks until a patch is applied.
Proactive Monitoring: Monitor application logs for signs of SQL injection attempts and anomalous traffic originating from external sources.
Compensating Controls: Implement WAF rules to filter malicious SQL strings and perform rigorous input validation at the application level where possible.
Exploitation status
Public Exploit Available: Unknown.
Analyst recommendation
Organizations utilizing Metasoft MetaCRM should treat this as a high-priority incident. Given the nature of CRM systems holding sensitive data, it is recommended to restrict access to the application and coordinate directly with the vendor for a security update to address this injection flaw.