Cyber Updates 7 May 2026 / 0 Comments

MetInfo CMS Unauthenticated PHP Code Injection Under Active Exploitation (CVE-2026-29014)

Scope: MetInfo CMS Versions 7.9, 8.0, and 8.1

Severity: Red

A critical unauthenticated PHP code injection vulnerability (CVSS 9.8) in MetInfo CMS versions 7.9 through 8.1 allows remote attackers to execute arbitrary code by sending crafted HTTP requests targeting insufficient input sanitization in the WeChat plugin's weixinreply.class.php script. Active exploitation has been observed since April 25, 2026, with activity surging on May 1 and targeting instances in China, Hong Kong, the U.S., and Singapore. Organizations should immediately apply the patch released by MetInfo on April 7, 2026, restrict administrative interfaces to trusted IPs or VPNs, deploy a WAF to block injection attempts, and scan for web shells or unauthorized files indicating prior compromise.

The Uganda National CERT and Coordination Center (CERT.UG/CC) encourages users and administrators to review the recommendations and apply the necessary updates.

MetInfo CMS Unauthenticated PHP Code Injection Under Active Exploitation (CVE-2026-29014)

Cisco SD-WAN Authentication Bypass Under Active Exploitation (CVE-2026-20128)

Recent Advisories

Categories

Contact info

Useful Links

Subscribe to our Mailing List

MetInfo CMS Unauthenticated PHP Code Injection Under Active Exploitation (CVE-2026-29014)

RELATED ADVISORIES

Cisco SD-WAN Authentication Bypass Under Active Exploitation (CVE-2026-20128)

Recent Advisories

Categories