Home

Description

MetInfo CMS versions 7.9, 8.0, and 8.1 contain an unauthenticated PHP code injection vulnerability that allows remote attackers to execute arbitrary code by sending crafted requests with malicious PHP code. Attackers can exploit insufficient input neutralization in the execution path to achieve remote code execution and gain full control over the affected server.

PUBLISHED Reserved 2026-03-03 | Published 2026-04-01 | Updated 2026-04-03 | Assigner VulnCheck




CRITICAL: 9.3CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CRITICAL: 9.8CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Problem types

CWE-94 Improper Control of Generation of Code ('Code Injection')

Product status

Default status
unknown

7.9.0 (semver)
affected

Credits

Egidio Romano finder

References

seclists.org/fulldisclosure/2026/Apr/1

websec.net/...ed-php-code-injection-69cdc290c14a8a99e1f91b7a

karmainsecurity.com/KIS-2026-06 technical-description exploit

www.metinfo.cn/ product

www.vulncheck.com/...-unauthenticated-php-code-injection-rce third-party-advisory

cve.org (CVE-2026-29014)

nvd.nist.gov (CVE-2026-29014)

Download JSON