CVE-2026-1330
Published: 22 January 2026
Summary
CVE-2026-1330 is a high-severity Absolute Path Traversal (CWE-36) vulnerability in Hamastar Meetinghub Paperless Meetings. Its CVSS base score is 8.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 44.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-14 (Public Access Protections) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-1330 is an Arbitrary File Read vulnerability affecting MeetingHub, a product developed by HAMASTAR Technology. The flaw enables Absolute Path Traversal, allowing attackers to download arbitrary system files. Published on 2026-01-22, it is rated with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and maps to CWE-36.
Unauthenticated remote attackers can exploit this vulnerability over the network with low attack complexity, requiring no privileges, user interaction, or scope changes. Successful exploitation grants high-impact confidentiality violations by enabling the retrieval of sensitive system files.
Advisories from TWCERT/CC detail the vulnerability and mitigation guidance, available at https://www.twcert.org.tw/en/cp-139-10651-ff09c-2.html and https://www.twcert.org.tw/tw/cp-132-10650-a5ee9-1.html.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-4168
Vulnerability details
MeetingHub developed by HAMASTAR Technology has an Arbitrary File Read vulnerability, allowing unauthenticated remote attackers to exploit Absolute Path Traversal to download arbitrary system files.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Arbitrary file read via path traversal on a network-accessible application directly enables remote exploitation of a public-facing service (T1190) and retrieval of sensitive local system files (T1005).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Implements input validation mechanisms at file access points to block absolute path traversal attempts and prevent arbitrary file reads.
Enforces security safeguards on public interfaces to prevent unauthenticated access to non-public system files via path traversal.
Mandates enforcement of access control policies to restrict logical access to system files, mitigating unauthorized reads exploited through the vulnerability.