MetInfo CMS Faces Active Exploitation of Critical RCE Flaw

May 6, 2026 at 11:57 PM

•

1 min read

MetInfo CMS Faces Active Exploitation of Critical RCE Flaw — Photo: The Hacker News

TL;DR Summary

MetInfo CMS versions 7.9–8.1 are under active exploitation for CVE-2026-29014, a critical unauthenticated PHP code injection (CVSS 9.8) that can give remote attackers arbitrary code execution. The flaw stems from insufficient input sanitization in weixinreply.class.php when handling Weixin/WeChat API requests, and requires an existing /cache/weixin/ directory. MetInfo released patches on April 7, 2026; exploitation has been observed since April 25, with honeypots in the US and Singapore and a surge on May 1 targeting China/Hong Kong. Roughly 2,000 online MetInfo instances are exposed, many in China, indicating a real risk of full server takeover for compromised systems.

Topics:technology #cms #cve-2026-29014 #metinfo #remote-code-execution #security #weixin

Share this article

MetInfo CMS CVE-2026-29014 Exploited for Remote Code Execution Attacks The Hacker News

Reading Insights

Total Reads

Unique Readers

Time Saved

1 min

vs 2 min read

Condensed

68%

302 → 97 words

Want the full story? Read the original article

Read on The Hacker News

JavaScript Required

tl;dr daily news requires JavaScript to be enabled. Please enable JavaScript in your browser settings.

Related Sources

Reading Insights