MetInfo weixinreply command injection

Added: 05/07/2026

Background

MetInfo is an open-source content management system (CMS) written in PHP and MySQL developed in China.

Problem

A vulnerability in the weixinreply class allows remote attackers to execute arbitrary commands by sending an API request with specially crafted EventKey and FromUserName XML tags.

Resolution

Apply the patch.

References

https://karmainsecurity.com/KIS-2026-06

Back to exploit index