Menace actors are actively exploiting a important security flaw impacting an open-source content material administration system (CMS) often known as MetInfo, based on new findings from VulnCheck.
The vulnerability in query is CVE-2026-29014 (CVSS rating: 9.8), a code injection flaw that would end in arbitrary code execution.
“MetInfo CMS variations 7.9, 8.0, and eight.1 include an unauthenticated PHP code injection vulnerability that enables distant attackers to execute arbitrary code by sending crafted requests with malicious PHP code,” the NIST Nationwide Vulnerability Database (NVD) states.
“Attackers can exploit inadequate enter neutralization within the execution path to realize distant code execution and acquire full management over the affected server.”
Per security researcher Egidio Romano, who found the vulnerability, the issue is rooted within the “/app/system/weixin/embrace/class/weixinreply.class.php” script, and stems from an absence of ample sanitization of user-supplied enter when issuing Weixin (aka WeChat) API requests.
In consequence, distant, unauthenticated attackers may exploit this loophole to inject and execute arbitrary PHP code. One key prerequisite for profitable exploitation when MetInfo is working on non-Home windows servers is that the “/cache/weixin/” listing has to exist beforehand.The listing is created when putting in and configuring the official WeChat plugin.
Patches for CVE-2026-29014 have been launched by MetInfo on April 7, 2026. The vulnerability has since come beneath exploitation as of April 25, with a “small variety of exploits” deployed in opposition to vulnerable honeypots positioned within the U.S. and Singapore.
Though these efforts have been initially sparse and related to automated probing, the exercise witnessed a surge on Could 1, 2026, specializing in China and Hong Kong IP addresses, Caitlin Condon, vice chairman of security analysis at VulnCheck, stated. As many as 2,000 situations of MetInfo CMS are accessible on-line, most of that are in China.
