### MetInfo CMS Code Injection Vulnerability (CVE-2026-29014) Under Active Exploitation According to new findings from **VulnCheck**, a critical security flaw impacting **MetInfo**, an open-source CMS, is being actively exploited. The vulnerability, **CVE-2026-29014** (CVSS score: 9.8), is a code injection flaw that can lead to arbitrary code execution. According to the **NIST** National Vulnerability Database (NVD), "**MetInfo** CMS versions 7.9, 8.0, and 8.1 contain an unauthenticated PHP code injection vulnerability that allows remote attackers to execute arbitrary code by sending crafted requests with malicious PHP code." The NVD further states, "Attackers can exploit insufficient input neutralization in the execution path to achieve remote code execution and gain full control over the affected server." ### Root Cause and Exploit Details Security researcher Egidio Romano discovered the vulnerability, tracing the issue to the "/app/system/weixin/include/class/weixinreply.class.php" script. The vulnerability stems from inadequate sanitization of user-supplied input when issuing Weixin (aka WeChat) API requests. Remote, unauthenticated attackers can exploit this loophole to inject and execute arbitrary PHP code. A prerequisite for successful exploitation on non-Windows servers is the existence of the "/cache/weixin/" directory, which is created during the installation and configuration of the official WeChat plugin. ### Patch Availability and Exploitation Trends **MetInfo** released patches for **CVE-2026-29014** on April 7, 2026. Exploitation attempts began around April 25, with initial activity targeting honeypots in the U.S. and Singapore. **Caitlin Condon**, vice president of security research at **VulnCheck**, noted a surge in activity on May 1, 2026, originating from China and Hong Kong IP addresses. Approximately 2,000 instances of **MetInfo** CMS are accessible online, primarily located in China.