CVE-2026-29014
CRITICAL EXPLOITED NUCLEIMetInfo CMS 7.9-8.1 - Unauthenticated PHP Code Injection
Title source: manualExploitation Summary
CVE-2026-29014 has been observed exploited in the wild (reported by VulnCheck KEV). A Nuclei detection template is also available.
Description
MetInfo CMS versions 7.9, 8.0, and 8.1 contain an unauthenticated PHP code injection vulnerability that allows remote attackers to execute arbitrary code by sending crafted requests with malicious PHP code. Attackers can exploit insufficient input neutralization in the execution path to achieve remote code execution and gain full control over the affected server.
Nuclei Templates (1)
MetInfo CMS <= 8.1 - Remote Code Execution
CRITICALVERIFIEDby 0x_Akoko
Shodan:
http.title:"MetInfo"
FOFA:
app="MetInfo"
References (5)
Core 5
Core References
Exploit technical-description
exploit
https://karmainsecurity.com/KIS-2026-06
Product product
https://www.metinfo.cn/
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/metinfo-cms-unauthenticated-php-code-injection-rce
Mailing List
http://seclists.org/fulldisclosure/2026/Apr/1
Scores
CVSS v3
9.8
EPSS
0.3209
EPSS Percentile
97.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
VulnCheck KEV
2026-04-25
CWE
CWE-94
Status
published
Products (4)
metinfo/metinfo
7.9
metinfo/metinfo
8.0.0
metinfo/metinfo
8.1
MetInfo CMS/MetInfo CMS
7.9.0 - 8.1.0
Published
Apr 01, 2026
Tracked Since
Apr 01, 2026