CVE-2026-29014

MetInfo CMS Unauthenticated PHP Code Injection RCE

CVSS 9.3 CRITICALEPSS 39.7%CWE-94

Vexday Risk Score

75High priority

SSVC decision (CISA)

Attend

PoC available → attend closely

CVSS 9.3EPSS 39.7%KEV nãoPoC públicaNuclei simMetasploit —Patch —

Lifecycle

01 Apr 2026Published on NVD

Recommendation: Plan a near-term fix — a public PoC already exists.

MetInfo CMS versions 7.9, 8.0, and 8.1 contain an unauthenticated PHP code injection vulnerability that allows remote attackers to execute arbitrary code by sending crafted requests with malicious PHP code. Attackers can exploit insufficient input neutralization in the execution path to achieve remote code execution and gain full control over the affected server.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected products

MetInfo CMS · MetInfo CMS

public PoCs found — 1

cve_referencekarmainsecurity.com/KIS-2026-06unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

http://seclists.org/fulldisclosure/2026/Apr/1 https://karmainsecurity.com/KIS-2026-06 https://websec.net/blog/cve-2026-29014-metinfo-cms-unauthenticated-php-code-injection-69cdc290c14a8a99e1f91b7a https://www.metinfo.cn/https://www.vulncheck.com/advisories/metinfo-cms-unauthenticated-php-code-injection-rce