CVE-2026-29014CRITICAL 9.8EPSS p98.4%

CVE-2026-29014CVE-2026-29014

Description

MetInfo CMS versions 7.9, 8.0, and 8.1 contain an unauthenticated PHP code injection vulnerability that allows remote attackers to execute arbitrary code by sending crafted requests with malicious PHP code. Attackers can exploit insufficient input neutralization in the execution path to achieve remote code execution and gain full control over the affected server.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS39.69% probability of exploitation · percentile 98.4% · 2026-06-18T12:00:27Z
Published2026-04-01
Last modified2026-04-07

Underlying weaknesses· 1

CWE-94

References

  1. https://karmainsecurity.com/KIS-2026-06
  2. https://www.metinfo.cn/
  3. https://www.vulncheck.com/advisories/metinfo-cms-unauthenticated-php-code-injection-rce
  4. http://seclists.org/fulldisclosure/2026/Apr/1
  5. https://websec.net/blog/cve-2026-29014-metinfo-cms-unauthenticated-php-code-injection-69cdc290c14a8a99e1f91b7a

1

TypeTargetConfidenceTier
WeaknessImproper Control of Generation of Code ('Code Injection')cwe-940%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
Drupal Core SQL Injection Vulnerability
CVE
CVE-2026-30457
CVE
CVE-2025-7714
CVE
CVE-2025-25686
CVE
CVE-2025-15405
CVE
CVE-2026-48907
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.