Critical severity9.8NVD Advisory· Published Apr 1, 2026· Updated Apr 7, 2026

CVE-2026-29014

Description

MetInfo CMS versions 7.9, 8.0, and 8.1 contain an unauthenticated PHP code injection vulnerability that allows remote attackers to execute arbitrary code by sending crafted requests with malicious PHP code. Attackers can exploit insufficient input neutralization in the execution path to achieve remote code execution and gain full control over the affected server.

Affected products

Metinfo/Metinfo3 versions
cpe:2.3:a:metinfo:metinfo:7.9:*:*:*:*:*:*:*+ 2 more
- cpe:2.3:a:metinfo:metinfo:7.9:*:*:*:*:*:*:*
- cpe:2.3:a:metinfo:metinfo:8.0.0:*:*:*:*:*:*:*
- cpe:2.3:a:metinfo:metinfo:8.1:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

karmainsecurity.com/KIS-2026-06nvdExploitThird Party Advisory
websec.net/blog/cve-2026-29014-metinfo-cms-unauthenticated-php-code-injection-69cdc290c14a8a99e1f91b7anvdExploitThird Party Advisory
seclists.org/fulldisclosure/2026/Apr/1nvdMailing ListThird Party Advisory
www.vulncheck.com/advisories/metinfo-cms-unauthenticated-php-code-injection-rcenvdThird Party AdvisoryVDB Entry
www.metinfo.cnnvdProduct

News mentions

MetInfo CMS CVE-2026-29014 Exploited for Remote Code Execution Attacks
The Hacker News · May 5, 2026
MetInfo, Weaver E-cology Vulnerabilities in Attackers’ Crosshairs
SecurityWeek · May 5, 2026

cvss	0.637
epss	0.021
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000