A critical vulnerability in the MetInfo content management system, tracked as CVE-2026-29014, is being actively exploited by threat actors to execute remote code on vulnerable systems. This code injection flaw, which affects MetInfo CMS versions 7.9, 8.0, and 8.1, has a CVSS score of 9.8, indicating a highly severe security risk. The vulnerability allows unauthenticated PHP code execution, enabling attackers to inject malicious code without authentication. As a result, systems running the affected MetInfo CMS versions are exposed to remote code execution attacks, which can lead to unauthorized access, data breaches, and other malicious activities1. This exploitation expands the active attack surface, making it essential for practitioners to prioritize mitigation based on their exposure and evidence of exploitation. The high severity of this vulnerability and its active exploitation underscore the need for immediate attention and patching to prevent potential security breaches.