CVE-2026-29014

Name of the Vulnerable Software and Affected Versions MetInfo CMS versions 7.9 through 8.1

Description An unauthenticated PHP code injection flaw exists due to insufficient input neutralization in the execution path, specifically within the wxAdminLogin() function and the file /app/system/weixin/include/class/weixinreply.class.php. This issue affects the handling of Weixin (WeChat) API requests. Remote attackers can execute arbitrary code and gain full control over the affected server by sending crafted requests containing malicious PHP code. This exploitation is possible on non-Windows servers where the /cache/weixin/ directory exists, which occurs when the official WeChat plugin is installed and configured. Real-world exploitation has been observed, with a significant surge in activity starting May 1, 2026, primarily targeting approximately 2,000 online instances in China and Hong Kong, as well as some honeypots in the U.S. and Singapore.

Recommendations Update MetInfo CMS versions 7.9, 8.0, and 8.1 to the patched versions released on April 7, 2026. As a temporary workaround, restrict access to the WeChat API component or the /app/system/weixin/include/class/weixinreply.class.php file to minimize the risk of exploitation.