cbcvebase.
CVE-2026-29014
published 2026-04-01

CVE-2026-29014: MetInfo CMS versions 7.9, 8.0, and 8.1 contain an unauthenticated PHP code injection vulnerability that allows remote attackers to execute arbitrary code by…

PriorityP194critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
39.69%
98.4th percentile
MetInfo CMS versions 7.9, 8.0, and 8.1 contain an unauthenticated PHP code injection vulnerability that allows remote attackers to execute arbitrary code by sending crafted requests with malicious PHP code. Attackers can exploit insufficient input neutralization in the execution path to achieve remote code execution and gain full control over the affected server.

Affected

4 ranges
VendorProductVersion rangeFixed in
metinfometinfo
metinfometinfo
metinfometinfo
metinfo_cmsmetinfo_cms7.9.0 – 8.1.0

Detection & IOCsextracted from sources · hover to see the quote

path/app/system/weixin/include/class/weixinreply.class.php
path/cache/weixin/
url/app/system/entrance.php?n=include&m=module&c=weixin&a=doapi
command${eval(base64_decode($_SERVER[chr(72).chr(84).chr(84).chr(80).chr(95).chr(67)])))}
otherContent-Type: application/xml with header C: {{base64("echo {{num1}}*{{num2}};die();")}}}
  • Monitor for POST requests to /app/system/entrance.php with query parameters n=include&m=module&c=weixin&a=doapi and Content-Type: application/xml, which is the exploit delivery endpoint for CVE-2026-29014.
  • Detect PHP code injection payloads in HTTP headers or XML body targeting MetInfo, specifically use of eval(base64_decode($_SERVER[...])) patterns delivered via the custom 'C' HTTP header.
  • Exploitation activity has been observed originating from China and Hong Kong IP addresses; geo-filter or alert on inbound requests to MetInfo endpoints from these regions, especially after April 25, 2026.
  • ·Affected versions are MetInfo CMS 7.9, 8.0, and 8.1; patches were released April 7, 2026. Instances not yet patched remain at critical risk (CVSS 9.8).

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.09.3CRITICALCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vulncheck9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.