Security researchers are warning that a vulnerability in MetInfo CMS could allow unauthenticated remote code execution (RCE) on affected sites.[1] The issue is tracked as CVE-2026-29014 and affects MetInfo releases up to 8.2.0.[2]
VulnCheck said it has observed exploitation activity associated with the bug and added the issue to its exploited-vulnerability tracking dataset.[1] Independent disclosure notes describe a code-injection path reachable without authentication and report that the vendor shipped a fix in MetInfo 8.2.1.[3]
What MetInfo admins should do now
If you run MetInfo, prioritize updating to 8.2.1 or later and review your web server and application logs for suspicious requests around the time the issue became public in early April 2026.[3] Because this is an RCE-class bug, assume an attacker who reached it could drop files, modify templates, create new admin users, or run additional tooling.
After patching, it is worth rotating any credentials that may have been exposed to the CMS runtime (database credentials, API tokens, SMTP passwords) and checking the file tree for unexpected PHP files in writable directories such as caches and upload paths. If you operate a WAF, consider temporarily tightening rules around unusual parameters and unexpected writes in CMS cache directories until you’ve confirmed the instance is clean.
References
- VulnCheck, “MetInfo CMS Unauthenticated PHP Code Injection (RCE)”, published April 30, 2026.
- NVD (NIST), “CVE-2026-29014”, accessed May 8, 2026.
- Karma Insecurity, “CVE-2026-29014 – MetInfo CMS – Unauthenticated PHP Code Injection Remote Code Execution”, published April 1, 2026; updated April 7, 2026.
- The Hacker News, “MetInfo CMS RCE flaw CVE-2026-29014 exploited in the wild; patch now”, published May 5, 2026.
Related CMS exploitation: Ghost administrators should also review the newer CVE-2026-26980 ClickFix attack guidance, where attackers stole Admin API keys and bulk-edited posts to inject malicious JavaScript.
Leave a Comment