Description
MetInfo CMS versions 7.9, 8.0, and 8.1 contain an unauthenticated PHP code injection vulnerability that allows remote attackers to execute arbitrary code by sending crafted requests with malicious PHP code. Attackers can exploit insufficient input neutralization in the execution path to achieve remote code execution and gain full control over the affected server.
Published: 2026-04-01
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

MetInfo CMS versions 7.9, 8.0, and 8.1 allow attackers to inject arbitrary PHP code without authentication. The vulnerability arises from insufficient input sanitization in the execution path, enabling remote code execution and potentially granting full control over the affected server.

Affected Systems

MetInfo CMS, specifically versions 7.9, 8.0, and 8.1.

Risk and Exploitability

The vulnerability carries a CVSS score of 9.3, indicating a critical impact. EPSS data is not available, and the issue is not listed in the CISA KEV catalog. The likely attack vector is an unauthenticated web request containing malicious PHP code, which can be exploited by any entity with network access to the CMS installation.

Generated by OpenCVE AI on April 2, 2026 at 03:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Verify whether official security patches have been released by MetInfo and apply the latest version immediately
  • If a patch is not yet available, restrict execution permissions on PHP files in public directories and enforce strict input validation
  • Deploy a Web Application Firewall to filter requests containing suspicious PHP code patterns

Generated by OpenCVE AI on April 2, 2026 at 03:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Metinfo Cms
Metinfo Cms metinfo Cms
Vendors & Products Metinfo Cms
Metinfo Cms metinfo Cms

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description MetInfo CMS versions 7.9, 8.0, and 8.1 contain an unauthenticated PHP code injection vulnerability that allows remote attackers to execute arbitrary code by sending crafted requests with malicious PHP code. Attackers can exploit insufficient input neutralization in the execution path to achieve remote code execution and gain full control over the affected server.
Title MetInfo CMS Unauthenticated PHP Code Injection RCE
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Metinfo Cms Metinfo Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-04-01T15:00:50.939Z

Reserved: 2026-03-03T16:42:01.013Z

Link: CVE-2026-29014

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-01T13:16:35.063

Modified: 2026-04-01T16:23:49.123

Link: CVE-2026-29014

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-02T20:17:39Z

Weaknesses