CVE-2026-29014
Awaiting Analysis Awaiting Analysis - Queue
Unauthenticated PHP Code Injection in MetInfo CMS Allows RCE

Publication date: 2026-04-01

Last updated on: 2026-04-07

Assigner: VulnCheck

Description
MetInfo CMS versions 7.9, 8.0, and 8.1 contain an unauthenticated PHP code injection vulnerability that allows remote attackers to execute arbitrary code by sending crafted requests with malicious PHP code. Attackers can exploit insufficient input neutralization in the execution path to achieve remote code execution and gain full control over the affected server.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-01
Last Modified
2026-04-07
Generated
2026-06-16
AI Q&A
2026-04-01
EPSS Evaluated
2026-06-15
NVD
CVE-2026-29014
EUVD
EUVD-2026-17875
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
metinfo metinfo 8.0.0
metinfo metinfo 7.9
metinfo metinfo 8.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-29014 is a critical unauthenticated PHP code injection vulnerability affecting MetInfo CMS versions 7.9, 8.0, and 8.1.

The vulnerability arises from insufficient input neutralization in the execution path, specifically in the handling of user input from the EventKey and FromUserName XML tags in HTTP requests to the Weixin API.

Attackers can send specially crafted requests containing malicious PHP code that is improperly sanitized before being used in cache operations, allowing them to inject and execute arbitrary PHP code on the server.

This leads to remote code execution (RCE) without any authentication, enabling attackers to gain full control over the affected server.

Impact Analysis

This vulnerability allows remote attackers to execute arbitrary PHP code on the affected server without authentication.

Successful exploitation can lead to full control over the server, which means attackers can manipulate, steal, or destroy data, disrupt services, or use the server as a foothold for further attacks.

Because the attack requires no privileges or user interaction and has a low attack complexity, it poses a severe risk to the confidentiality, integrity, and availability of the system.

Detection Guidance

This vulnerability can be detected by monitoring for suspicious HTTP requests targeting the MetInfo CMS, specifically crafted to exploit the unauthenticated PHP code injection flaw. Attackers send specially crafted requests containing malicious PHP code to the /app/system/weixin/include/class/weixinreply.class.php file, particularly exploiting the wxAdminLogin() method.

Detection can focus on identifying unusual requests containing payloads in the EventKey and FromUserName XML tags, which are used unsafely in cache::get() and cache::put() calls. Monitoring web server logs for requests to the Weixin API endpoint that include suspicious PHP code or path traversal sequences in these parameters can help identify exploitation attempts.

Suggested commands to detect potential exploitation attempts include searching web server logs for suspicious patterns. For example, using grep on Apache or Nginx logs:

  • grep -i 'EventKey' /var/log/apache2/access.log | grep -E 'php|\$|\{|\}'
  • grep -i 'FromUserName' /var/log/apache2/access.log | grep -E 'php|\$|\{|\}'

Additionally, checking for the presence of unexpected or suspicious files in the /cache/weixin/ directory, such as Array.php, which may indicate exploitation, can be useful:

  • ls -l /path/to/metinfo/cache/weixin/
  • grep -r '<?php' /path/to/metinfo/cache/weixin/
Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable MetInfo CMS versions 7.9, 8.0, and 8.1, especially the /app/system/weixin/include/class/weixinreply.class.php file and the /cache/weixin/ directory.

Since no official fix is currently available, it is critical to implement network-level protections such as firewall rules or web application firewall (WAF) rules to block malicious requests containing suspicious PHP code or path traversal sequences targeting the Weixin API endpoints.

Disabling or uninstalling the official WeChat plugin, which creates the vulnerable /cache/weixin/ directory, can reduce the attack surface if it is not essential.

Monitoring and auditing the server for signs of compromise, including unexpected PHP files in cache directories and unusual process activity, is also recommended.

Finally, plan to upgrade to a patched version of MetInfo CMS once an official fix is released or apply custom patches to sanitize inputs properly.

Compliance Impact

The CVE-2026-29014 vulnerability allows unauthenticated remote code execution on affected MetInfo CMS servers, enabling attackers to gain full control over the server. This level of compromise can lead to unauthorized access, modification, or disclosure of sensitive data hosted on the server.

Such unauthorized access and control can result in violations of common data protection standards and regulations like GDPR and HIPAA, which require strict controls to protect confidentiality, integrity, and availability of personal and sensitive information.

Therefore, if exploited, this vulnerability could cause non-compliance with these regulations due to potential data breaches, loss of data integrity, and service availability issues.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-29014. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart