CVE-2026-29014

🗓️ 01 Apr 2026 12:22:42Reported by VulnCheckType

cve🔗 web.nvd.nist.gov📰️ 6 Media mentions👁 11 Views🌐 WEB

MetInfo CMS unauthenticated PHP code injection enables remote code execution on 7.9, 8.0, 8.1.

Reporter	Title	Published	Views	Family All 15
Circl	CVE-2026-29014	1 Apr 202615:26	–	circl
CNNVD	MetInfo CMS 安全漏洞	1 Apr 202600:00	–	cnnvd
Cvelist	CVE-2026-29014 MetInfo CMS Unauthenticated PHP Code Injection RCE	1 Apr 202612:22	–	cvelist
EUVD	EUVD-2026-17875	1 Apr 202615:31	–	euvd
Nuclei	MetInfo CMS <= 8.1 - Remote Code Execution	6 Jun 202603:01	–	nuclei
NVD	CVE-2026-29014	1 Apr 202613:16	–	nvd
Packet Storm	📄 MetInfo CMS 8.1 Code Injection	1 Apr 202600:00	–	packetstorm
Packet Storm	📄 MetInfo CMS 8.1 Shell Upload Mass Exploiter	24 Apr 202600:00	–	packetstorm
Packet Storm	📄 MetInfo CMS 8.1 PHP Code Injection	24 Apr 202600:00	–	packetstorm
Packet Storm News	MetInfo CMS 8.1 WeChat Module Vulnerability Detection Scanner	24 Apr 202600:00	–	packetstormnews

NVD

Vulners

Node

metinfo metinfoMatch7.9

metinfo metinfoMatch8.0.0

metinfo metinfoMatch8.1

[
  {
    "vendor": "MetInfo CMS",
    "product": "MetInfo CMS",
    "versions": [
      {
        "status": "affected",
        "version": "7.9.0",
        "lessThanOrEqual": "8.1.0",
        "versionType": "semver"
      }
    ],
    "defaultStatus": "unknown"
  }
]

Source	Link
karmainsecurity	www.karmainsecurity.com/KIS-2026-06
metinfo	www.metinfo.cn/
vulncheck	www.vulncheck.com/advisories/metinfo-cms-unauthenticated-php-code-injection-rce
seclists	www.seclists.org/fulldisclosure/2026/Apr/1
websec	www.websec.net/blog/cve-2026-29014-metinfo-cms-unauthenticated-php-code-injection-69cdc290c14a8a99e1f91b7a

Parameter	Position	Path	Description	CWE
C	header	/app/system/entrance.php	PHP code injection via crafted XML/headers enabling remote code execution in MetInfo CMS ≤ 8.1 (CVE-2026-29014).	CWE-94

07 Apr 2026 20:38Current

6.7Medium risk

Vulners AI Score6.7

CVSS 49.3

CVSS 3.19.8

EPSS0.31224

SSVC