METINFO CMS is under active exploitation of a critical code injection flaw, CVE-2026-29014, which carries a CVSS of 9.8 and can lead to remote code execution. According to the NIST National Vulnerability Database, versions 7.9, 8.0 and 8.1 contain an unauthenticated PHP code injection vulnerability that lets remote attackers run arbitrary code by sending crafted requests with malicious PHP.
The flaw stems from insufficient input sanitisation in the Weixin (WeChat) API request path, specifically in the /app/system/weixin/include/class/weixinreply.class[.]php script, and a non-Windows server prerequisite is that the /cache/weixin/ directory exists. Patches were released by MetInfo on 7 April 2026, and exploitation had begun by 25 April, described as a “small number of exploits” on honeypots in the United States and Singapore.
Security researchers at VulnCheck noted a surge on 1 May 2026, with activity clustering around China and Hong Kong IPs; up to 2,000 MetInfo CMS instances are reported as accessible online, the majority in China.