Unauthenticated PHP Code Injection in MetInfo CMS by MetInfo
CVE-2026-29014

9.3CRITICAL

Key Information:

Vendor: Metinfo Cms
Status: Metinfo Cms
Vendor: CVE Published:; 1 April 2026

🔔 Create Metinfo Cms Vulnerability Alert

Badges

📈 Trended📈 Score: 1,780👾 Exploit Exists🟡 Public PoC🟣 EPSS 25%📰 News Worthy

What is CVE-2026-29014?

CVE-2026-29014 is a notable vulnerability affecting the MetInfo Content Management System (CMS), specifically present in versions 7.9, 8.0, and 8.1. MetInfo CMS is designed for building and managing websites, providing users with tools to create and organize content efficiently. The flaw is characterized as an unauthenticated PHP code injection vulnerability, enabling remote attackers to send specially crafted requests that allow them to execute arbitrary PHP code on the server. This deficiency arises from inadequate input validation within the execution flow, allowing malicious actors to gain unauthorized access to the system and potentially take complete control over the affected server. The implications for organizations using MetInfo CMS are significant, as exploitation of this vulnerability can lead to serious security breaches, data loss, and unauthorized access to sensitive information.

Potential impact of CVE-2026-29014

Remote Code Execution: Attackers can execute arbitrary code, which means they could perform a wide range of actions on the server, including installing malware or redirecting website traffic, thereby compromising the integrity and functionality of the affected website.
Full Server Control: Gaining full control over the server could allow attackers to access and exfiltrate sensitive data, manipulate website content, or use the server for further attacks, potentially involving other connected systems.
Operational Downtime: Exploitation of this vulnerability could lead to significant downtime for the affected web services, disrupting business operations and causing potential revenue loss, and damage to the organization's reputation.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

This is an advertDeploy the Patch

Affected Version(s)

MetInfo CMS 7.9.0 <= 8.1.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-29014 - Proof of Concept