CVE-2026-29014
Unauthenticated PHP Code Injection in MetInfo CMS Allows RCE
Publication date: 2026-04-01
Last updated on: 2026-04-07
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| metinfo | metinfo | 8.0.0 |
| metinfo | metinfo | 7.9 |
| metinfo | metinfo | 8.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-29014 is a critical unauthenticated PHP code injection vulnerability affecting MetInfo CMS versions 7.9, 8.0, and 8.1.
The vulnerability arises from insufficient input neutralization in the execution path, specifically in the handling of user input from the EventKey and FromUserName XML tags in HTTP requests to the Weixin API.
Attackers can send specially crafted requests containing malicious PHP code that is improperly sanitized before being used in cache operations, allowing them to inject and execute arbitrary PHP code on the server.
This leads to remote code execution (RCE) without any authentication, enabling attackers to gain full control over the affected server.
How can this vulnerability impact me? :
This vulnerability allows remote attackers to execute arbitrary PHP code on the affected server without authentication.
Successful exploitation can lead to full control over the server, which means attackers can manipulate, steal, or destroy data, disrupt services, or use the server as a foothold for further attacks.
Because the attack requires no privileges or user interaction and has a low attack complexity, it poses a severe risk to the confidentiality, integrity, and availability of the system.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for suspicious HTTP requests targeting the MetInfo CMS, specifically crafted to exploit the unauthenticated PHP code injection flaw. Attackers send specially crafted requests containing malicious PHP code to the /app/system/weixin/include/class/weixinreply.class.php file, particularly exploiting the wxAdminLogin() method.
Detection can focus on identifying unusual requests containing payloads in the EventKey and FromUserName XML tags, which are used unsafely in cache::get() and cache::put() calls. Monitoring web server logs for requests to the Weixin API endpoint that include suspicious PHP code or path traversal sequences in these parameters can help identify exploitation attempts.
Suggested commands to detect potential exploitation attempts include searching web server logs for suspicious patterns. For example, using grep on Apache or Nginx logs:
- grep -i 'EventKey' /var/log/apache2/access.log | grep -E 'php|\$|\{|\}'
- grep -i 'FromUserName' /var/log/apache2/access.log | grep -E 'php|\$|\{|\}'
Additionally, checking for the presence of unexpected or suspicious files in the /cache/weixin/ directory, such as Array.php, which may indicate exploitation, can be useful:
- ls -l /path/to/metinfo/cache/weixin/
- grep -r '<?php' /path/to/metinfo/cache/weixin/
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The CVE-2026-29014 vulnerability allows unauthenticated remote code execution on affected MetInfo CMS servers, enabling attackers to gain full control over the server. This level of compromise can lead to unauthorized access, modification, or disclosure of sensitive data hosted on the server.
Such unauthorized access and control can result in violations of common data protection standards and regulations like GDPR and HIPAA, which require strict controls to protect confidentiality, integrity, and availability of personal and sensitive information.
Therefore, if exploited, this vulnerability could cause non-compliance with these regulations due to potential data breaches, loss of data integrity, and service availability issues.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the vulnerable MetInfo CMS versions 7.9, 8.0, and 8.1, especially the /app/system/weixin/include/class/weixinreply.class.php file and the /cache/weixin/ directory.
Since no official fix is currently available, it is critical to implement network-level protections such as firewall rules or web application firewall (WAF) rules to block malicious requests containing suspicious PHP code or path traversal sequences targeting the Weixin API endpoints.
Disabling or uninstalling the official WeChat plugin, which creates the vulnerable /cache/weixin/ directory, can reduce the attack surface if it is not essential.
Monitoring and auditing the server for signs of compromise, including unexpected PHP files in cache directories and unusual process activity, is also recommended.
Finally, plan to upgrade to a patched version of MetInfo CMS once an official fix is released or apply custom patches to sanitize inputs properly.