MetInfo CMS RCE (CVE-2026-29014)

High exploitation risk - EPSS 95th percentile - CVE-2026-29014 is a critical unauthenticated remote code execution vulnerability in MetInfo CMS versions 7.9, 8.0, and 8.1 that grants attackers full server control by injecting arbitrary PHP code via specially crafted requests. Apply the official security patch without delay.

Overview

A critical unauthenticated remote code execution (RCE) vulnerability, tracked as CVE-2026-29014, affects MetInfo CMS versions 7.9, 8.0, and 8.1. The flaw stems from insufficient input neutralization in a specific execution path, allowing attackers to inject and execute arbitrary PHP code on the server without requiring any login credentials.

Technical Impact

With a maximum CVSS score of 9.8, this vulnerability is highly severe due to its network-based attack vector and the lack of required privileges or user interaction. A remote attacker can send a specially crafted request containing malicious PHP code to a vulnerable MetInfo instance. Successful exploitation results in the execution of that code with the web server’s permissions, granting the attacker full control over the affected system. This control can be used to steal data, deploy malware, create backdoors, or use the server as a foothold for further attacks within the network.

Affected Products

• MetInfo CMS version 7.9
• MetInfo CMS version 8.0
• MetInfo CMS version 8.1 Users should verify their installed version immediately.

Remediation and Mitigation

The primary and most urgent action is to apply the official patch. The MetInfo development team has released security updates addressing this vulnerability. Administrators must upgrade their installations to a patched version without delay.

If immediate patching is not possible, consider the following temporary mitigation steps:

• Restrict Access: Use network-level controls, such as a Web Application Firewall (WAF), to block malicious requests targeting the vulnerable endpoint. IP allow-listing to restrict admin panel access can also reduce the attack surface.
• Monitor Logs: Closely review web server and application logs for suspicious POST requests containing PHP code snippets or unusual file operations. Given the ease of exploitation, treating this as an emergency patch event is essential. For more information on the evolving threat landscape, monitor our security news feed.

Security Insight

This vulnerability continues a concerning pattern of critical RCE flaws in widely-used CMS platforms, often stemming from basic input sanitization failures. It highlights the persistent challenge of securing complex, user-input-heavy applications and underscores why content management systems remain prime targets for attackers seeking scalable compromise.

Further Reading

• All Critical Vulnerabilities
• Recent Critical Vulnerabilities
• Top Critical CVEs