Description
MetInfo CMS versions 7.9, 8.0, and 8.1 contain an unauthenticated PHP code injection vulnerability that allows remote attackers to execute arbitrary code by sending crafted requests with malicious PHP code. Attackers can exploit insufficient input neutralization in the execution path to achieve remote code execution and gain full control over the affected server.
Published: 2026-04-01
Score: 9.3 Critical
EPSS: 15.8% Moderate
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

MetInfo CMS versions 7.9, 8.0, and 8.1 contain an unauthenticated PHP code injection vulnerability that allows attackers to execute arbitrary code. By sending crafted requests with malicious PHP code, an attacker can achieve remote code execution, giving full control over the affected server. The weakness is an insufficient input neutralization during execution, classified as CWE‑94, leading to total loss of confidentiality, integrity, and availability for the target system.

Affected Systems

The vulnerability affects MetInfo CMS product, specifically releases 7.9, 8.0.0, and 8.1. System administrators should verify if their deployments run any of these versions.

Risk and Exploitability

With a CVSS score of 9.3 and an EPSS probability of 11 %, the risk is high. Exploitation requires only unauthenticated HTTP requests containing embedded PHP code, so the attack surface is broad. The vulnerability is not listed in the CISA KEV catalog, but its severity warrants immediate action. An attacker does not need privileged credentials and can trigger the flaw by targeting exposed endpoints that process PHP scripts.

Generated by OpenCVE AI on April 21, 2026 at 23:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the MetInfo CMS vendor website for an official patch or upgrade to a version newer than 8.1.1.
  • If an immediate patch is unavailable, restrict web access to vulnerable endpoints using a firewall or reverse proxy and disable PHP processing for unauthenticated requests.
  • Verify that no unauthenticated PHP code execution is possible by testing with safe payloads.
  • Continuously monitor web server logs for suspicious requests containing PHP code fragments and apply security best practices such as input validation and least privilege.

Generated by OpenCVE AI on April 21, 2026 at 23:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Metinfo
Metinfo metinfo
CPEs cpe:2.3:a:metinfo:metinfo:7.9:*:*:*:*:*:*:*
cpe:2.3:a:metinfo:metinfo:8.0.0:*:*:*:*:*:*:*
cpe:2.3:a:metinfo:metinfo:8.1:*:*:*:*:*:*:*
Vendors & Products Metinfo
Metinfo metinfo

Fri, 03 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
References

Fri, 03 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 03 Apr 2026 06:30:00 +0000

Type Values Removed Values Added
References

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Metinfo Cms
Metinfo Cms metinfo Cms
Vendors & Products Metinfo Cms
Metinfo Cms metinfo Cms

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description MetInfo CMS versions 7.9, 8.0, and 8.1 contain an unauthenticated PHP code injection vulnerability that allows remote attackers to execute arbitrary code by sending crafted requests with malicious PHP code. Attackers can exploit insufficient input neutralization in the execution path to achieve remote code execution and gain full control over the affected server.
Title MetInfo CMS Unauthenticated PHP Code Injection RCE
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Metinfo Metinfo
Metinfo Cms Metinfo Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-03T16:43:15.767Z

Reserved: 2026-03-03T16:42:01.013Z

Link: CVE-2026-29014

cve-icon Vulnrichment

Updated: 2026-04-03T16:43:15.767Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-01T13:16:35.063

Modified: 2026-04-07T20:38:52.333

Link: CVE-2026-29014

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T23:30:02Z

Weaknesses