MetInfo CMS Faces Active Exploitation of Critical RCE Flaw
MetInfo CMS versions 7.9–8.1 are under active exploitation for CVE-2026-29014, a critical unauthenticated PHP code injection (CVSS 9.8) that can give remote attackers arbitrary code execution. The flaw stems from insufficient input sanitization in weixinreply.class.php when handling Weixin/WeChat API requests, and requires an existing /cache/weixin/ directory. MetInfo released patches on April 7, 2026; exploitation has been observed since April 25, with honeypots in the US and Singapore and a surge on May 1 targeting China/Hong Kong. Roughly 2,000 online MetInfo instances are exposed, many in China, indicating a real risk of full server takeover for compromised systems.