CVE-2026-29014

MetInfo CMS Unauthenticated PHP Code Injection RCE

CVSS 9.3 CRITICALEPSS 39.7%CWE-94

MetInfo CMS versions 7.9, 8.0, and 8.1 contain an unauthenticated PHP code injection vulnerability that allows remote attackers to execute arbitrary code by sending crafted requests with malicious PHP code. Attackers can exploit insufficient input neutralization in the execution path to achieve remote code execution and gain full control over the affected server.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected products

MetInfo CMS · MetInfo CMS

public PoCs found — 1

cve_referencekarmainsecurity.com/KIS-2026-06unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

http://seclists.org/fulldisclosure/2026/Apr/1 https://karmainsecurity.com/KIS-2026-06 https://websec.net/blog/cve-2026-29014-metinfo-cms-unauthenticated-php-code-injection-69cdc290c14a8a99e1f91b7a https://www.metinfo.cn/https://www.vulncheck.com/advisories/metinfo-cms-unauthenticated-php-code-injection-rce