CVE-2026-29014

Name of the Vulnerable Software and Affected Versions MetInfo CMS versions 7.9 through 8.1

Description An unauthenticated PHP code injection flaw allows remote attackers to execute arbitrary code by sending crafted requests containing malicious PHP code. This issue stems from insufficient input neutralization in the execution path, enabling attackers to achieve remote code execution and gain full control over the affected server. Real-world exploitation has been observed since April 25, with a significant increase in activity starting May 1. Attackers have used this flaw to gain initial access, escalate privileges, and move laterally across networks.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.