MetInfo CMS Zero-Day CVE-2026-29014: What Enterprises Need to Know About Active Exploitation

A critical security flaw identified as CVE-2026-29014 is being actively targeted by threat actors, posing a severe risk to websites running the open-source MetInfo content management system (CMS). Discovered by VulnCheck, this unauthenticated code injection vulnerability allows attackers to execute arbitrary code remotely, potentially compromising entire servers. Below, we break down the most pressing questions about this exploit, its impact, and how to defend against it.

1. What is CVE-2026-29014 and why is it critical?

CVE-2026-29014 is a code injection flaw found in MetInfo CMS versions 7.9, 8.0, and 8.1. It is classified as a remote code execution (RCE) vulnerability, meaning an attacker can inject and run malicious PHP code on the target server without needing any authentication. The vulnerability resides in the CMS's input validation mechanism, which fails to properly sanitize user-supplied data. This allows a threat actor to craft a malicious HTTP request that triggers the injection. The criticality stems from the lack of required privileges and the potential for complete server takeover, data theft, or deployment of ransomware. As evidence of its danger, the Common Vulnerability Scoring System (CVSS) rates it a near-perfect 9.8 out of 10.

MetInfo CMS Zero-Day CVE-2026-29014: What Enterprises Need to Know About Active Exploitation — Source: feeds.feedburner.com

2. Which versions of MetInfo are affected?

According to VulnCheck's report, the vulnerable versions are MetInfo CMS 7.9, 8.0, and 8.1. These versions share a common codebase where the PHP input handling routine is insufficiently secured. Organizations running any of these releases are at immediate risk, especially if the CMS is exposed to the public internet. Outdated installations—those not patched to the most recent security update—are the primary target. The exploit is known to be actively weaponized, making it imperative to check your current version and apply fixes without delay.

3. How does the remote code execution attack work?

The attack exploits a form of PHP code injection by sending specially crafted HTTP requests to vulnerable MetInfo endpoints. The CMS fails to sanitize certain parameters, allowing an attacker to embed arbitrary PHP code in a POST or GET variable. Once the server processes the request, the injected code is executed in the context of the web application. This leads to immediate RCE, giving the attacker the same permissions as the web server user. The exact mechanism does not require valid login credentials, making it an unauthenticated exploit—an attacker needs only network access to the web server to try to compromise it.

4. What is the CVSS score and what does it mean?

The vulnerability has been assigned a CVSS v3.1 score of 9.8, placing it in the "Critical" severity bucket. This score is derived from low attack complexity, no required privileges, and no user interaction. The attack vector is network-based, and the potential impact includes total loss of confidentiality, integrity, and availability of the affected system. Essentially, a successful exploit gives an attacker the keys to the entire server—they can read sensitive data, modify website content, install backdoors, or even pivot to other networked systems. In the cybersecurity community, a score above 9.0 is reserved for vulnerabilities that require immediate patching and remediation.

5. How are attackers exploiting this flaw in the wild?

VulnCheck's research confirms that threat actors are actively exploiting CVE-2026-29014 in real-world campaigns. The exploits typically scan the web for MetInfo instances running vulnerable versions, then send a crafted payload to the target URL. Once code is executed, attackers often deploy web shells or coin miners, or exfiltrate database contents. Because the exploit leaves minimal traces, many compromises go undetected until significant damage is done. Security teams should monitor firewall logs for abnormal POST requests to the MetInfo scripts, especially those containing PHP functions like eval, system, or base64-encoded strings. Early detection can prevent full server takeover.

6. What steps should organizations take to mitigate the risk?

Immediate actions include:

Upgrade your MetInfo instance to a patched version beyond 8.1 if available, or apply the vendor-supplied hotfix.
Isolate the CMS server behind a web application firewall (WAF) with rules blocking known exploit patterns.
Restrict network access to the CMS administrative interface only from trusted IPs.
Audit server logs for suspicious activity and scan for any already-deployed web shells.
Implement least privilege for the web server process to limit the blast radius if compromise occurs.

For more details on securing your server, refer to question 7 regarding patches.

7. Are there any patches or workarounds available?

At the time of the VulnCheck disclosure, MetInfo has officially released patches for versions 7.9, 8.0, and 8.1. Organizations must update to the latest patched version—such as 7.9.1, 8.0.1, or 8.1.1—depending on their branch. If immediate patching is not possible, a tempoary workaround involves manually editing the vulnerable PHP files to add input sanitization functions like htmlspecialchars or preg_replace to the affected endpoints. However, this is error-prone and not recommended for production. Always prefer applying the official fix from the vendor as the primary mitigation.

8. What is MetInfo and why should I care?

MetInfo is a popular open-source CMS used globally, especially by small to medium-sized businesses, educational institutions, and government agencies. Its simplicity and cost-free nature drive widespread adoption. However, like any open-source platform, it relies on community patches for security. The active exploitation of CVE-2026-29014 underscores the importance of continuous vulnerability management. Even a niche CMS can become a prime target when exposed. If your organization uses MetInfo, treat this as a high-priority incident—the unauthenticated RCE means attackers don't need to break into your login page; they can take over your entire site with a single HTTP request.