Description
MetInfo CMS versions 7.9, 8.0, and 8.1 contain an unauthenticated PHP code injection vulnerability that allows remote attackers to execute arbitrary code by sending crafted requests with malicious PHP code. Attackers can exploit insufficient input neutralization in the execution path to achieve remote code execution and gain full control over the affected server.
Published: 2026-04-01
Score: 9.3 Critical
EPSS: 25.6% Moderate
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

MetInfo CMS versions 7.9, 8.0, and 8.1 contain an unauthenticated PHP code injection vulnerability that allows remote attackers to execute arbitrary code on the web server. By sending crafted HTTP requests that embed malicious PHP code, an attacker can achieve remote code execution and gain full control over the affected server. The weakness arises from insufficient input neutralization during execution, classified as CWE‑94, and can lead to loss of confidentiality, integrity, and availability for the target system.

Affected Systems

The vulnerability affects the MetInfo CMS product, specifically releases 7.9, 8.0.0, and 8.1. System administrators should verify whether their deployments run any of these versions.

Risk and Exploitability

With a CVSS score of 9.3 and an EPSS probability of 0.26%, the risk remains high due to the critical impact, despite the low exploitation likelihood. It is likely that an attacker can exploit this flaw by sending unauthenticated HTTP requests containing malicious PHP code, making the attack surface broad. The vulnerability is not listed in the CISA KEV catalog, but its severity warrants immediate action.

Generated by OpenCVE AI on May 13, 2026 at 16:56 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor’s latest patch or upgrade to a supported MetInfo CMS version.
  • If a patch is not yet available, restrict web access to vulnerable endpoints using a firewall or reverse proxy and disable PHP processing for unauthenticated requests.
  • Configure a web application firewall or implement input filtering to block malicious PHP code injection attempts.

Generated by OpenCVE AI on May 13, 2026 at 16:56 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Metinfo
Metinfo metinfo
CPEs cpe:2.3:a:metinfo:metinfo:7.9:*:*:*:*:*:*:*
cpe:2.3:a:metinfo:metinfo:8.0.0:*:*:*:*:*:*:*
cpe:2.3:a:metinfo:metinfo:8.1:*:*:*:*:*:*:*
Vendors & Products Metinfo
Metinfo metinfo

Fri, 03 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
References

Fri, 03 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 03 Apr 2026 06:30:00 +0000

Type Values Removed Values Added
References

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Metinfo Cms
Metinfo Cms metinfo Cms
Vendors & Products Metinfo Cms
Metinfo Cms metinfo Cms

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description MetInfo CMS versions 7.9, 8.0, and 8.1 contain an unauthenticated PHP code injection vulnerability that allows remote attackers to execute arbitrary code by sending crafted requests with malicious PHP code. Attackers can exploit insufficient input neutralization in the execution path to achieve remote code execution and gain full control over the affected server.
Title MetInfo CMS Unauthenticated PHP Code Injection RCE
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Metinfo Metinfo
Metinfo Cms Metinfo Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-03T16:43:15.767Z

Reserved: 2026-03-03T16:42:01.013Z

Link: CVE-2026-29014

cve-icon Vulnrichment

Updated: 2026-04-03T16:43:15.767Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-01T13:16:35.063

Modified: 2026-04-07T20:38:52.333

Link: CVE-2026-29014

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T17:00:14Z

Weaknesses