Unauthenticated PHP Code Injection in MetInfo CMS by MetInfo
CVE-2026-29014

9.3CRITICAL

Key Information:

Vendor

Metinfo Cms

Status
Metinfo Cms
Vendor
CVE Published:
1 April 2026

Badges

📈 Trended📈 Score: 1,780👾 Exploit Exists🟡 Public PoC🟣 EPSS 33%📰 News Worthy

What is CVE-2026-29014?

CVE-2026-29014 is a notable vulnerability affecting the MetInfo Content Management System (CMS), specifically present in versions 7.9, 8.0, and 8.1. MetInfo CMS is designed for building and managing websites, providing users with tools to create and organize content efficiently. The flaw is characterized as an unauthenticated PHP code injection vulnerability, enabling remote attackers to send specially crafted requests that allow them to execute arbitrary PHP code on the server. This deficiency arises from inadequate input validation within the execution flow, allowing malicious actors to gain unauthorized access to the system and potentially take complete control over the affected server. The implications for organizations using MetInfo CMS are significant, as exploitation of this vulnerability can lead to serious security breaches, data loss, and unauthorized access to sensitive information.

Potential impact of CVE-2026-29014

  1. Remote Code Execution: Attackers can execute arbitrary code, which means they could perform a wide range of actions on the server, including installing malware or redirecting website traffic, thereby compromising the integrity and functionality of the affected website.

  2. Full Server Control: Gaining full control over the server could allow attackers to access and exfiltrate sensitive data, manipulate website content, or use the server for further attacks, potentially involving other connected systems.

  3. Operational Downtime: Exploitation of this vulnerability could lead to significant downtime for the affected web services, disrupting business operations and causing potential revenue loss, and damage to the organization's reputation.

Affected Version(s)

MetInfo CMS 7.9.0 <= 8.1.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-29014 - Proof of Concept

News Articles

favicon imageSwapupdate

MetInfo CMS CVE-2026-29014 Exploited for Remote Code Execution Attacks

Ravie LakshmananMay 05, 2026Vulnerability / Network Security

2 weeks ago

favicon imageThe Hacker News

MetInfo CMS CVE-2026-29014 Exploited for Remote Code Execution Attacks

MetInfo CMS flaw CVE-2026-29014 exploited after April 7 patch, enabling remote code execution and targeting 2,000 instances.

3 weeks ago

References

https://karmainsecurity.com/KIS-2026-06
technical-descriptionexploit
https://www.metinfo.cn/
product
https://www.vulncheck.com/advisories/metinfo-cms-unauthen...
third-party-advisory

EPSS Score

33% chance of being exploited in the next 30 days.

CVSS V4

Score:
9.3
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • 📈

    Vulnerability started trending

  • 📰

    First article discovered by The Hacker News

  • 🟡

    Public PoC available

  • 👾

    Exploit known to exist

  • Vulnerability published

  • Vulnerability Reserved

Credit

Egidio Romano
.