Threat actors are actively exploiting a critical code injection vulnerability in MetInfo CMS, an open-source content management system. Versions 7.9, 8.0, and 8.1 contain an unauthenticated PHP code injection flaw (CVE-2026-29014, CVSS 9.8) that allows arbitrary code execution and is currently being weaponized in the field.