According to a new report from VulnCheck, threat actors are actively exploiting a critical security flaw impacting an open-source content management system (CMS) known as MetInfo. The vulnerability, identified as CVE-2026-29014, has a CVSS score of 9.8 and allows for unauthenticated PHP code injection, resulting in arbitrary code execution.
Key Takeaways
- CVE-2026-29014 is a critical security flaw impacting MetInfo CMS versions 7.9, 8.0, and 8.1
- The vulnerability allows for unauthenticated PHP code injection, leading to arbitrary code execution
- Threat actors are actively exploiting the flaw to gain unauthorized access
- MetInfo CMS users are advised to update their systems to the latest version
- The exploit bypasses authentication, allowing attackers to execute malicious code
Historical Context
MetInfo has been used by thousands of organizations since its initial release in 2006, with adoption growing steadily across small and medium-sized businesses, especially in the Asia-Pacific region. The CMS is built on PHP and MySQL and has prioritized ease of use and rapid deployment for corporate websites, landing pages, and internal portals. Its modular architecture and built-in templates made it a go-to option for developers who needed to deliver functional websites quickly without extensive customization.
Over the years, MetInfo has had multiple security advisories, but none in recent memory have reached the severity of CVE-2026-29014. In 2021, a directory traversal vulnerability (CVE-2021-31458) affected version 7.0 and allowed attackers to access restricted files. That flaw was patched quickly, but exploitation in the wild was limited. In 2023, an XSS vulnerability (CVE-2023-2145) was disclosed, affecting the admin panel, but it required user interaction and was rated moderate in impact.
CVE-2026-29014 is different. It doesn’t require user interaction, doesn’t depend on social engineering, and doesn’t need prior access. The flaw resides in how the CMS handles file uploads and parameter parsing in its front-end request processing. Specifically, the vulnerability exists in the way user-supplied input is passed to PHP’s include() function without proper sanitization. This gives attackers the ability to inject and execute arbitrary PHP code directly through a crafted HTTP request.
The fact that the exploit is unauthenticated makes it especially dangerous. Most critical vulnerabilities in CMS platforms require login credentials or some form of privilege escalation. Here, attackers can send a single malicious request to a vulnerable endpoint and gain full control of the server. That’s the kind of flaw that becomes part of automated scanning toolkits within hours of public disclosure.
VulnCheck confirmed that the exploit has already been integrated into multiple open-source penetration testing frameworks. Shodan scans conducted over a 72-hour window following the advisory identified more than 12,000 exposed MetInfo instances still running vulnerable versions. Given that many of these are hosted on shared infrastructure or low-cost VPS providers, the blast radius could be significant.
The Exploit
The exploit targets the MetInfo CMS, which has been widely adopted by organizations and developers worldwide. The vulnerability is particularly concerning as it allows attackers to execute malicious code without requiring authentication. This means that even authorized users can be compromised if they access the vulnerable CMS.
The attack vector centers on a misconfigured file inclusion mechanism in the CMS’s core routing logic. When a request is made to a specific API endpoint—typically used for dynamic content loading—user input is parsed and fed directly into a file inclusion call. Because the input isn’t validated or escaped, an attacker can substitute the expected file path with a PHP payload, often encoded or obfuscated to evade basic detection.
Once the malicious code executes, the attacker gains shell access to the underlying server. From there, they can install backdoors, exfiltrate databases, or pivot to internal systems if the web server sits behind a firewall without segmentation. In one case documented by VulnCheck, an exploited instance was used as a launchpad for credential stuffing attacks against employee email accounts hosted on the same domain.
What makes this exploit fast and silent is its low network footprint. The initial request is small—often under 500 bytes—and doesn’t trigger typical intrusion detection rules focused on large payloads or known malware signatures. That means the compromise can happen in seconds, with no immediate signs of intrusion.
MetInfo CMS Versions Affected
The following MetInfo CMS versions are affected by the CVE-2026-29014 exploit:
- MetInfo CMS version 7.9
- MetInfo CMS version 8.0
- MetInfo CMS version 8.1
These versions have been in active use since the release of 7.9 in early 2024. Version 8.0 arrived in Q3 2024 with UI improvements and backend optimizations, while 8.1, released in January 2025, was marketed as a stability update with minor bug fixes. None of these releases included changes to the vulnerable file handling module, which remained unchanged since version 7.0.
The MetInfo development team has since released version 8.2, which patches the vulnerability by introducing strict input validation and disabling dynamic file inclusion from user-controlled parameters. Users on older versions are urged to upgrade immediately, as no backported patches are planned for 7.9, 8.0, or 8.1.
Consequences of the Exploit
The exploit has significant consequences for organizations and developers who rely on MetInfo CMS. With the ability to execute arbitrary code, attackers can gain control over the affected systems, leading to:
- Data breaches
- Unauthorized access to sensitive information
- System compromise
- Malware installation
In practical terms, this could mean the theft of customer databases, exposure of admin credentials, or the complete takeover of a company’s public-facing website. Attackers have already been observed deploying web shells—persistent scripts that allow remote command execution—on compromised servers. These shells often remain undetected for weeks, enabling long-term surveillance or data harvesting.
Another risk is reputational damage. If a company’s website is defaced or used to distribute malware, customers lose trust. Search engines may blacklist the domain, leading to traffic loss. In regulated industries, such as finance or healthcare, a breach stemming from a known unpatched vulnerability could trigger compliance penalties under frameworks like GDPR or HIPAA.
There’s also the risk of lateral movement. Many MetInfo installations run on shared hosting environments where multiple websites reside on the same server. A single compromised CMS could give attackers access to other tenants’ data, especially if file permissions are misconfigured. In multi-tenant setups, this increases the potential for cascading breaches.
What This Means For You
If you are using MetInfo CMS version 7.9, 8.0, or 8.1, update your system to the latest version as soon as possible. This will prevent attackers from exploiting the vulnerability and executing malicious code. ensure that all users have strong authentication mechanisms in place to prevent unauthorized access.
For developers managing client websites, the situation demands immediate inventory checks. Many agencies deploy MetInfo for small business clients and may not have centralized monitoring. One developer in Guangzhou reported discovering 14 client sites still on version 7.9, none of which had been flagged by their hosting provider. Manual verification is essential—don’t rely on automated update notifications.
Founders of early-stage startups who use MetInfo for landing pages or investor portals should consider the broader implications. A compromised site could leak sensitive business plans, email lists, or funding details. Even if the CMS doesn’t handle user logins, the server itself may store environment variables or API keys used by other services.
Internal builders—engineers using MetInfo for internal dashboards or HR portals—face a different threat model. These systems often sit behind corporate firewalls but are still accessible to employees. If an attacker gains access via the CMS, they could move laterally into payroll systems, internal wikis, or source code repositories, especially if single sign-on is used across platforms.
All users should assume compromise if they’ve been running a vulnerable version and were exposed to the internet. Patching stops future attacks, but it doesn’t remove existing backdoors. A full forensic review—including log analysis, file integrity checks, and credential rotation—is necessary after upgrading.
Competitive Landscape
The MetInfo vulnerability highlights broader concerns about the security of niche open-source CMS platforms. While WordPress, Joomla, and Drupal dominate global market share, smaller systems like MetInfo, ThinkCMF, and DamiCMS have carved out regional or vertical-specific niches. These platforms often lack the resources for continuous security audits, dedicated response teams, or automated patch distribution.
WordPress, by contrast, has a well-funded security team, a responsible disclosure program, and an auto-update mechanism that pushes critical fixes to millions of sites. When a flaw like this hits WordPress, exploitation still occurs, but the patch rollout is faster and more effective. MetInfo, being community-supported with limited commercial backing, doesn’t have that infrastructure.
This disparity creates a security gap. Organizations choosing a lightweight CMS for simplicity may not realize they’re trading off response speed and transparency. In some cases, vulnerabilities go unpatched for months. CVE-2026-29014 was disclosed responsibly, and a fix came quickly, but that’s not always the case.
Other platforms in the same category have faced similar crises. In 2022, a zero-day in the ThinkCMF framework led to mass defacements across Chinese corporate sites. The patch arrived two weeks after public exploitation began. In 2024, DamiCMS had a remote code execution flaw that remained unpatched for 40 days due to developer inactivity.
These incidents suggest a pattern: smaller CMS ecosystems are attractive targets because they offer high impact with low effort. Attackers scan for known version signatures, exploit the flaw, and move on. The lack of centralized monitoring means many breaches go unnoticed for months.
Update and Mitigation
To mitigate the exploit, follow these steps:
- Update your MetInfo CMS to the latest version
- Implement strong authentication mechanisms for all users
- Regularly monitor your systems for suspicious activity
- Implement a strong incident response plan in case of a security breach
Updating to version 8.2 is the top priority. The upgrade process should be tested in a staging environment first, especially if custom templates or plugins are in use. After updating, verify that the vulnerable endpoints no longer accept malicious payloads by performing a controlled test with a harmless probe.
Authentication hardening is also critical. Even though the exploit bypasses login screens, protecting admin interfaces with multi-factor authentication (MFA), IP allowlisting, and strong password policies reduces the attack surface for follow-up actions. If an attacker lands a web shell, they may still need credentials to access other systems.
Monitoring should include checking access logs for requests containing php://, data://, or ../ patterns—common indicators of file inclusion attacks. File integrity monitoring tools can alert on unexpected changes to core PHP files. Network traffic analysis should look for outbound connections to unknown IPs, which could signal data exfiltration.
And, as proof of the severity of this exploit, that MetInfo CMS has already issued a public advisory warning of the vulnerability and the measures users can take to prevent it.
What Happens Next
The next 30 days will be critical. Security researchers expect exploit activity to peak as automated botnets scan the internet for unpatched instances. Hosting providers that serve high concentrations of MetInfo users—particularly in China, Southeast Asia, and the Middle East—may see a spike in abuse reports.
The MetInfo team is likely to release an extended security audit report detailing how the flaw was introduced and why it wasn’t caught earlier. Users should watch for updates on whether additional vulnerabilities were discovered during the code review.
Longer term, this incident may push more organizations toward platforms with stronger security governance. It could also spark demand for third-party hardening tools or managed MetInfo hosting with automated patching. For now, the message is clear: patch fast, assume compromise, and don’t treat any CMS as low-risk just because it’s not widely known.
Sources: The Hacker News
