Aggregates CVE and security vulnerability intelligence across all Metinfo-related products, including CVSS, EPSS, publication dates, and vulnerability intelligence data.
Historical issues mainly involve vendor risk csrf, vendor risk path handling, vendor risk xxe, and vendor risk ssrf and related problems; some flaws may lead to vendor impact session compromise and vendor impact data exposure.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2026-29014 | MetInfo CMS versions 7.9, 8.0, and 8.1 contain an unauthenticated PHP code injection vulnerability that allows remote attackers to execute arbitrary code by sending crafted requests with malicious PHP code. Attackers can exploit insufficient input neutralization in the execution path to achieve remote code execution and gain full control over the affected server. | [email protected] | 9.3 | 31.22% | 2026-04-01 | 2026-04-07 |
| CVE-2025-63551 | A Server-Side Request Forgery (SSRF) vulnerability, achievable through an XML External Entity (XXE) injection, exists in MetInfo Content Management System (CMS) thru 8.1. This flaw stems from a defect in the XML parsing logic, which allows an attacker to construct a malicious XML entity that forces the server to initiate an HTTP request to an arbitrary internal or external network address. Successful exploitation could lead to internal network reconnaissance, port scanning, or the retrieval of s | [email protected] | 7.5 | 0.06% | 2025-11-06 | 2026-02-04 |
| CVE-2025-60454 | A stored Cross-Site Scripting (XSS) vulnerability has been discovered in MetInfo CMS version 8.0. The vulnerability exists in the image management module, specifically in the app\system\img\admin\img_admin.class.php component. The vulnerability allows attackers to upload malicious SVG files containing JavaScript code that executes when the uploaded file is viewed or accessed by users. | [email protected] | 6.1 | 0.03% | 2025-10-03 | 2025-10-07 |
| CVE-2025-60453 | A stored Cross-Site Scripting (XSS) vulnerability has been discovered in MetInfo CMS version 8.0. The vulnerability exists in the column management module, specifically in the app\system\column\admin\index.class.php component. The vulnerability allows attackers to upload malicious SVG files containing JavaScript code that executes when the uploaded file is viewed or accessed by users. | [email protected] | 6.1 | 0.03% | 2025-10-03 | 2025-10-07 |
| CVE-2025-60452 | A stored Cross-Site Scripting (XSS) vulnerability has been discovered in MetInfo CMS version 8.0. The vulnerability exists in the download management module, specifically in the app\system\download\admin\download_admin.class.php component. The vulnerability allows attackers to upload malicious SVG files containing JavaScript code that executes when the uploaded file is viewed or accessed by users. | [email protected] | 6.1 | 0.03% | 2025-10-03 | 2025-10-07 |
| CVE-2025-60451 | A stored Cross-Site Scripting (XSS) vulnerability has been discovered in MetInfo CMS version 8.0. The vulnerability exists due to insufficient validation and sanitization of SVG file uploads in the app\system\include\module\uploadify.class.php component, specifically in the website settings module. This security flaw allows attackers to upload malicious SVG files containing JavaScript code that executes when the uploaded file is viewed or accessed. | [email protected] | 6.1 | 0.03% | 2025-10-03 | 2025-10-07 |
| CVE-2025-60450 | A stored Cross-Site Scripting (XSS) vulnerability has been discovered in MetInfo CMS version 8.0. The vulnerability exists due to insufficient validation and sanitization of SVG file uploads in the app\system\include\module\editor\Uploader.class.php component. This security flaw allows attackers to upload malicious SVG files containing JavaScript code that executes when the uploaded file is viewed or accessed. | [email protected] | 6.1 | 0.03% | 2025-10-03 | 2025-10-07 |
| CVE-2022-44849 | A Cross-Site Request Forgery (CSRF) in the Administrator List of MetInfo v7.7 allows attackers to arbitrarily add Super Administrator account. | [email protected] | 8.8 | 0.09% | 2022-12-07 | 2025-04-23 |
| CVE-2022-23335 | Metinfo v7.5.0 was discovered to contain a SQL injection vulnerability in language_general.class.php via doModifyParameter. | [email protected] | 9.8 | 0.49% | 2022-02-14 | 2024-11-21 |
| CVE-2022-22295 | Metinfo v7.5.0 was discovered to contain a SQL injection vulnerability in parameter_admin.class.php via the table_para parameter. | [email protected] | 9.8 | 0.64% | 2022-02-14 | 2024-11-21 |
| CVE-2020-20600 | MetInfo 7.0 beta contains a stored cross-site scripting (XSS) vulnerability in the $name parameter of admin/?n=column&c=index&a=doAddColumn. | [email protected] | 5.4 | 0.29% | 2021-12-22 | 2024-11-21 |
| CVE-2020-21127 | MetInfo 7.0.0 contains a SQL injection vulnerability via admin/?n=logs&c=index&a=dodel. | [email protected] | 9.8 | 0.55% | 2021-09-15 | 2024-11-21 |
| CVE-2020-21126 | MetInfo 7.0.0 contains a Cross-Site Request Forgery (CSRF) via admin/?n=admin&c=index&a=doSaveInfo. | [email protected] | 8.8 | 0.20% | 2021-09-15 | 2024-11-21 |
| CVE-2020-20981 | A SQL injection in the /admin/?n=logs&c=index&a=dolist component of Metinfo 7.0 allows attackers to access sensitive database information. | [email protected] | 7.5 | 0.61% | 2021-08-12 | 2024-11-21 |
| CVE-2020-19305 | An issue in /app/system/column/admin/index.class.php of Metinfo v7.0.0 causes the indeximg parameter to be deleted when the column is deleted, allowing attackers to escalate privileges. | [email protected] | 9.8 | 0.95% | 2021-08-03 | 2024-11-21 |
| CVE-2020-19304 | An issue in /admin/index.php?n=system&c=filept&a=doGetFileList of Metinfo v7.0.0 allows attackers to perform a directory traversal and access sensitive information. | [email protected] | 7.5 | 0.84% | 2021-08-03 | 2024-11-21 |
| CVE-2020-18175 | SQL Injection vulnerability in Metinfo 6.1.3 via a dosafety_emailadd action in basic.php. | [email protected] | 9.8 | 0.51% | 2021-07-30 | 2024-11-21 |
| CVE-2020-18157 | Cross Site Request Forgery (CSRF) vulnerability in MetInfo 6.1.3 via a doaddsave action in admin/index.php. | [email protected] | 8.8 | 0.11% | 2021-07-30 | 2024-11-21 |
| CVE-2020-21133 | SQL Injection vulnerability in Metinfo 7.0.0 beta in member/getpassword.php?lang=cn&a=dovalid. | [email protected] | 9.8 | 0.55% | 2021-07-12 | 2024-11-21 |
| CVE-2020-21132 | SQL Injection vulnerability in Metinfo 7.0.0beta in index.php. | [email protected] | 9.8 | 0.55% | 2021-07-12 | 2024-11-21 |