Critical severity9.8NVD Advisory· Published Apr 1, 2026· Updated Apr 7, 2026
CVE-2026-29014
CVE-2026-29014
Description
MetInfo CMS versions 7.9, 8.0, and 8.1 contain an unauthenticated PHP code injection vulnerability that allows remote attackers to execute arbitrary code by sending crafted requests with malicious PHP code. Attackers can exploit insufficient input neutralization in the execution path to achieve remote code execution and gain full control over the affected server.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
4Patches
Vulnerability mechanics
References
5- karmainsecurity.com/KIS-2026-06nvdExploitThird Party Advisory
- websec.net/blog/cve-2026-29014-metinfo-cms-unauthenticated-php-code-injection-69cdc290c14a8a99e1f91b7anvdExploitThird Party Advisory
- seclists.org/fulldisclosure/2026/Apr/1nvdMailing ListThird Party Advisory
- www.vulncheck.com/advisories/metinfo-cms-unauthenticated-php-code-injection-rcenvdThird Party AdvisoryVDB Entry
- www.metinfo.cnnvdProduct
News mentions
3- ⚡ Weekly Recap: Linux Rootkit, macOS Crypto Stealer, WebSocket Skimmers and MoreThe Hacker News · May 11, 2026
- MetInfo CMS CVE-2026-29014 Exploited for Remote Code Execution AttacksThe Hacker News · May 5, 2026
- MetInfo, Weaver E-cology Vulnerabilities in Attackers’ CrosshairsSecurityWeek · May 5, 2026