Cyber Resilience

CVE-2026-1330

High

Published: 22 January 2026

Published
22 January 2026
Modified
17 February 2026
KEV Added
Patch
CVSS Score v4 8.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0061 44.5th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-1330 is a high-severity Absolute Path Traversal (CWE-36) vulnerability in Hamastar Meetinghub Paperless Meetings. Its CVSS base score is 8.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 44.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-14 (Public Access Protections) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-1330 is an Arbitrary File Read vulnerability affecting MeetingHub, a product developed by HAMASTAR Technology. The flaw enables Absolute Path Traversal, allowing attackers to download arbitrary system files. Published on 2026-01-22, it is rated with a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N) and maps to CWE-36.

Unauthenticated remote attackers can exploit this vulnerability over the network with low attack complexity, requiring no privileges, user interaction, or scope changes. Successful exploitation grants high-impact confidentiality violations by enabling the retrieval of sensitive system files.

Advisories from TWCERT/CC detail the vulnerability and mitigation guidance, available at https://www.twcert.org.tw/en/cp-139-10651-ff09c-2.html and https://www.twcert.org.tw/tw/cp-132-10650-a5ee9-1.html.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

MeetingHub developed by HAMASTAR Technology has an Arbitrary File Read vulnerability, allowing unauthenticated remote attackers to exploit Absolute Path Traversal to download arbitrary system files.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

Arbitrary file read via path traversal on a network-accessible application directly enables remote exploitation of a public-facing service (T1190) and retrieval of sensitive local system files (T1005).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-1331Same product: Hamastar Meetinghub Paperless Meetings
CVE-2026-2753Shared CWE-36
CVE-2026-4373Shared CWE-36
CVE-2025-57790Shared CWE-36
CVE-2024-13159Shared CWE-36
CVE-2026-0846Shared CWE-36
CVE-2024-8501Shared CWE-36
CVE-2025-7846Shared CWE-36
CVE-2026-1018Shared CWE-36
CVE-2025-34392Shared CWE-36

Affected Assets

hamastar
meetinghub paperless meetings
≤ 2025-12-10

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Implements input validation mechanisms at file access points to block absolute path traversal attempts and prevent arbitrary file reads.

prevent

Enforces security safeguards on public interfaces to prevent unauthenticated access to non-public system files via path traversal.

prevent

Mandates enforcement of access control policies to restrict logical access to system files, mitigating unauthorized reads exploited through the vulnerability.

References