CVE-2026-29014

Name of the Vulnerable Software and Affected Versions MetInfo CMS versions 7.9 through 8.1

Description An unauthenticated PHP code injection flaw allows remote attackers to execute arbitrary code and gain full control over the affected server by sending crafted requests containing malicious PHP code. This issue stems from insufficient input neutralization in the execution path, specifically within the /app/system/weixin/include/class/weixinreply.class.php file during the handling of Weixin (WeChat) API requests. Exploitation requires the server to be non-Windows and the /cache/weixin/ directory to exist, which occurs when the official WeChat plugin is installed and configured. Real-world exploitation has been observed, with a significant surge in activity starting May 1, 2026, primarily targeting approximately 2,000 online instances in China and Hong Kong, as well as honeypots in the U.S. and Singapore. Attackers have used this flaw to escalate privileges and move laterally across networks.

Recommendations Update MetInfo CMS versions 7.9, 8.0, and 8.1 to the patched versions released on April 7, 2026. As a temporary workaround, restrict access to the /app/system/weixin/include/class/weixinreply.class.php file or disable the official WeChat plugin to remove the /cache/weixin/ directory.