CVE DATABASE / CVE-2026-29014
CVE-2026-29014
CVSS 9.8 · CRITICAL
Summary
MetInfo CMS versions 7.9, 8.0, and 8.1 contain an unauthenticated PHP code injection vulnerability that allows remote attackers to execute arbitrary code by sending crafted requests with malicious PHP code. Attackers can exploit insufficient input neutralization in the execution path to achieve remote code execution and gain full control over the affected server.
CVSS 3.1 breakdown
| Base score | 9.8 (CRITICAL) |
| Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| Attack vector | NETWORK |
| Attack complexity | LOW |
| Privileges required | NONE |
| User interaction | NONE |
| Scope | UNCHANGED |
| Confidentiality | HIGH |
| Integrity | HIGH |
| Availability | HIGH |
Weakness type (CWE)
Affected products
Metinfo metinfo
Check this CVE live
Use our free CVE Lookup tool for the latest NVD record, or browse the full CISA KEV catalog.
Our coverage
- CVE-2026-29014: MetInfo CMS PHP Injection Exploited in the Wild
- CVE-2026-3854: How the GitHub Enterprise Server RCE Works and How to Verify You're Patched
References
- https://karmainsecurity.com/KIS-2026-06
- https://www.metinfo.cn/
- https://www.vulncheck.com/advisories/metinfo-cms-unauthenticated-php-code-injection-rce
- http://seclists.org/fulldisclosure/2026/Apr/1
- https://websec.net/blog/cve-2026-29014-metinfo-cms-unauthenticated-php-code-injection-69cdc290c14a8a99e1f91b7a
Data: NIST NVD. NVD last modified 2026-04-07. Always verify against the vendor advisory before acting.