Metinfo
Sign in to watchby Metinfo
CVEs (6)
| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-29014 | Cri | 0.66 | 9.8 | 0.26 | Apr 1, 2026 | MetInfo CMS versions 7.9, 8.0, and 8.1 contain an unauthenticated PHP code injection vulnerability that allows remote attackers to execute arbitrary code by sending crafted requests with malicious PHP code. Attackers can exploit insufficient input neutralization in the execution path to achieve remote code execution and gain full control over the affected server. | |
| CVE-2017-11347 | Hig | 0.57 | 8.8 | 0.01 | Jul 17, 2017 | Authenticated Code Execution Vulnerability in MetInfo 5.3.17 allows a remote authenticated attacker to generate a PHP script with the content of a malicious image, related to admin/include/common.inc.php and admin/app/physical/physical.php. | |
| CVE-2017-9764 | Med | 0.40 | 6.1 | 0.00 | Jul 19, 2017 | Cross-site scripting (XSS) vulnerability in MetInfo 5.3.17 allows remote attackers to inject arbitrary web script or HTML via the Client-IP or X-Forwarded-For HTTP header to /include/stat/stat.php in a para action. | |
| CVE-2017-6878 | Med | 0.35 | 5.4 | 0.00 | Mar 27, 2017 | Cross-site scripting (XSS) vulnerability in MetInfo 5.3.15 allows remote authenticated users to inject arbitrary web script or HTML via the name_2 parameter to admin/column/delete.php. | |
| CVE-2017-14513 | Med | 0.34 | 5.3 | 0.00 | Sep 17, 2017 | Directory traversal vulnerability in MetInfo 5.3.17 allows remote attackers to read information from any ini format file via the f_filename parameter in a fingerprintdo action to admin/app/physical/physical.php. | |
| CVE-2010-4976 | 0.03 | — | 0.04 | Nov 1, 2011 | Cross-site scripting (XSS) vulnerability in search/search.php in MetInfo 3.0 allows remote attackers to inject arbitrary web script or HTML via the searchword parameter (aka Search Box field). NOTE: some of these details are obtained from third party information. |