Critical Code Injection Vulnerability CVE-2026-29014 Actively Exploited in MetInfo CMS

Threat actors are actively exploiting a critical security vulnerability in MetInfo, an open-source content management system (CMS), identified as CVE-2026-29014 with a CVSS score of 9.8. The flaw is a code injection issue enabling unauthenticated remote code execution, affecting MetInfo CMS versions 7.9, 8.0, and 8.1. Research from VulnCheck confirmed the exploitation of this unauthenticated PHP code injection vulnerability. No specific attack timelines, affected organizations, or geographic targets were disclosed in the findings. The vulnerability allows arbitrary code execution without requiring authentication.