MetInfo CMS CVE-2026-29014 Under Active Exploitation — Unauthenticated RCE (CVSS 9.8)

CVE-2026-29014 is a code injection flaw (CVSS 9.8) in MetInfo CMS versions 7.9, 8.0, and 8.1 that allows unauthenticated attackers to execute arbitrary PHP code. VulnCheck has confirmed active exploitation in the wild. The vulnerability resides in unauthenticated functionality, meaning no credentials or prior access are required to trigger it. Any internet-exposed MetInfo instance on an affected version should be treated as compromised until patched. Operators should upgrade immediately, review web server logs for unexpected PHP execution, and consider taking the admin panel offline if a patch cannot be applied immediately.