CVE-2026-29014
🔴 Łataj teraz
Wstrzyknięcie kodu PHP w MetInfo CMS umożliwia zdalne wykonanie dowolnego kodu.
CVSS
9.8
EPSS
15.8%
Exploit
poc
Vendor
metinfo
Opis źródłowy (NVD)
MetInfo CMS versions 7.9, 8.0, and 8.1 contain an unauthenticated PHP code injection vulnerability that allows remote attackers to execute arbitrary code by sending crafted requests with malicious PHP code. Attackers can exploit insufficient input neutralization in the execution path to achieve remote code execution and gain full control over the affected server.
exploit rce
Brak patcha
Źródła i daty
| Źródło | Wartość |
|---|---|
| NVD – CVSS | 9.8 |
| CISA KEV (aktywnie wykorzystywane) | Nie |
| FIRST EPSS (prawdopodobieństwo exploita) | 15.8% |
| Opublikowano (NVD) | 2026-04-01 13:16:35 UTC |
| Ostatnia modyfikacja (NVD) | 2026-04-07 20:38:52 UTC |
Referencje
- https://karmainsecurity.com/KIS-2026-06 (disclosure@vulncheck.com) [Exploit, Third Party Advisory]
- https://www.metinfo.cn/ (disclosure@vulncheck.com) [Product]
- https://www.vulncheck.com/advisories/metinfo-cms-unauthenticated-php-code-injection-rce (disclosure@vulncheck.com) [Third Party Advisory, VDB Entry]
- http://seclists.org/fulldisclosure/2026/Apr/1 (af854a3a-2127-422b-91ae-364da2661108) [Mailing List, Third Party Advisory]
- https://websec.net/blog/cve-2026-29014-metinfo-cms-unauthenticated-php-code-injection-69cdc290c14a8a99e1f91b7a (af854a3a-2127-422b-91ae-364da2661108) [Exploit, Third Party Advisory]