Critical MetInfo CMS Flaw (CVE-2026-29014) Under Active Exploitation — CVSS 9.8 Code Injection Hits Thousands of Sites

Summary

A critical unauthenticated PHP code injection vulnerability in MetInfo CMS (CVE-2026-29014, CVSS 9.8) is being actively exploited in the wild. The flaw affects MetInfo versions 7.9, 8.0, and 8.1, and allows attackers to achieve arbitrary code execution and full server control without authentication.

The vulnerability resides in the /app/system/weixin/include/class/weixinreply.class.php script, which processes WeChat API requests with insufficient input neutralization. Attackers can inject malicious PHP code through crafted requests. While patches were released on April 7, exploitation began on April 25 and surged dramatically on May 1, particularly targeting servers in China and Hong Kong. Approximately 2,000 MetInfo instances remain accessible online, and public exploit code — including Nuclei templates — is now freely available.

Source

📰 The Hacker News — MetInfo CMS CVE-2026-29014 Exploited in the Wild

📰 SecurityWeek — MetInfo Vulnerabilities in Attackers’ Crosshairs

Commentary

A CVSS 9.8 with public exploit code and active exploitation is about as bad as it gets. The nearly month-long gap between patch availability (April 7) and the surge in exploitation (May 1) is a textbook example of the patch-lag problem — defenders simply aren’t moving fast enough. With Nuclei templates now circulating, anyone with a vulnerability scanner can fire this off at scale.

If you’re running MetInfo, the window to patch quietly closed weeks ago. At this point it’s patch-and-audit: update immediately, then forensically check whether you’ve already been compromised. The targeting pattern suggests opportunistic scanning, so even low-profile sites are at risk.