MetInfo CMS Flaw CVE-2026-29014 Under Active Exploitation for Unauthenticated RCE

A critical PHP code injection vulnerability in MetInfo CMS versions 7.9 through 8.1, tracked as CVE-2026-29014 with a CVSS score of 9.8, is being actively exploited in the wild. The flaw lives in the WeChat reply handler at /app/system/weixin/include/class/weixinreply.class.php, where user-supplied input feeding into Weixin API calls is not properly sanitized, letting unauthenticated attackers inject and execute arbitrary PHP and take over the host. On non-Windows servers, exploitation requires the /cache/weixin/ directory to already exist — a condition met whenever the official WeChat plugin has been installed and configured.

MetInfo shipped patches on April 7, 2026, but VulnCheck observed initial exploitation against U.S. and Singapore honeypots starting April 25, followed by a sharp escalation on May 1 driven by traffic from China and Hong Kong IPs. With roughly 2,000 internet-facing MetInfo instances — overwhelmingly hosted in China — the patch gap and the CMS’s regional concentration give attackers a sizable, slow-to-update target surface for opportunistic server takeover.