CVE-2026-29014
MetInfo · CMS
MetInfo CMS versions 7.9, 8.0, and 8.1 contain an unauthenticated PHP code injection vulnerability allowing remote attackers to execute arbitrary code on the server.
Executive summary
An unauthenticated remote code execution vulnerability in MetInfo CMS allows attackers to gain full control over the affected web server.
Vulnerability
This is an unauthenticated PHP code injection vulnerability caused by insufficient input neutralization. Attackers can submit crafted HTTP requests containing malicious PHP code to execute arbitrary commands on the underlying server.
Business impact
The ability to perform remote code execution represents a total compromise of the application and the host server. With a CVSS score of 9.8, this flaw could lead to complete data theft, unauthorized modification of website content, and the potential lateral movement of attackers into the internal network.
Remediation
Immediate Action: Upgrade to the latest version of MetInfo CMS that includes the security fix for this vulnerability.
Proactive Monitoring: Inspect server logs for suspicious HTTP requests and unauthorized file modifications or new, unexpected files in the web root.
Compensating Controls: Deploy a Web Application Firewall (WAF) with rules configured to detect and block malicious PHP injection patterns in incoming requests.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
Organizations running MetInfo CMS must prioritize patching this vulnerability to prevent full server takeover. Ensure that security updates are applied as soon as they are made available by the vendor to eliminate the risk of remote code execution.