CVE-2026-29014

CriticalPublic PoC

Published: 01 April 2026

Published

01 April 2026

Modified

07 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.2001 95.5th percentile

Risk Priority 32 60% EPSS · 20% KEV · 20% CVSS

Description

MetInfo CMS versions 7.9, 8.0, and 8.1 contain an unauthenticated PHP code injection vulnerability that allows remote attackers to execute arbitrary code by sending crafted requests with malicious PHP code. Attackers can exploit insufficient input neutralization in the execution path…

to achieve remote code execution and gain full control over the affected server.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Requires validation of information inputs to directly address the insufficient input neutralization enabling unauthenticated PHP code injection.

SI-2 Flaw Remediation good match

prevent

Mandates timely identification, reporting, and correction of flaws like the PHP code injection vulnerability in MetInfo CMS.

SI-3 Malicious Code Protection partial match

preventdetect

Malicious code protection mechanisms at system entry points can detect and block crafted requests containing injectable PHP code.

Security SummaryAI

CVE-2026-29014 is an unauthenticated PHP code injection vulnerability affecting MetInfo CMS versions 7.9, 8.0, and 8.1. The flaw arises from insufficient input neutralization in the execution path, allowing remote attackers to execute arbitrary PHP code by sending crafted requests containing malicious code. It carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-94 (Code Injection).

Remote attackers can exploit this vulnerability over the network with low complexity and no required privileges or user interaction. Successful exploitation enables arbitrary code execution, granting full control over the affected server.

Advisories detailing mitigations and patches are available from sources including Karma Infosec (https://karmainsecurity.com/KIS-2026-06), VulnCheck (https://www.vulncheck.com/advisories/metinfo-cms-unauthenticated-php-code-injection-rce), WebSec (https://websec.net/blog/cve-2026-29014-metinfo-cms-unauthenticated-php-code-injection-69cdc290c14a8a99e1f91b7a), and Full Disclosure (http://seclists.org/fulldisclosure/2026/Apr/1), along with the vendor site (https://www.metinfo.cn/). Security practitioners should review these for specific remediation guidance.

Details

CWE(s): CWE-94

Affected Products

metinfo

7.9, 8.0.0, 8.1

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability is an unauthenticated PHP code injection in a public-facing CMS (MetInfo), enabling remote attackers to achieve RCE via crafted requests, directly mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://karmainsecurity.com/KIS-2026-06
Exploit, Third Party Advisory · disclosure@vulncheck.com
https://www.metinfo.cn/
Product · disclosure@vulncheck.com
https://www.vulncheck.com/advisories/metinfo-cms-unauthenticated-php-code-injection-rce
Third Party Advisory, VDB Entry · disclosure@vulncheck.com
http://seclists.org/fulldisclosure/2026/Apr/1
Mailing List, Third Party Advisory · af854a3a-2127-422b-91ae-364da2661108
https://websec.net/blog/cve-2026-29014-metinfo-cms-unauthenticated-php-code-injection-69cdc290c14a8a99e1f91b7a
Exploit, Third Party Advisory · af854a3a-2127-422b-91ae-364da2661108