Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionCVE.org
A flaw has been found in FoundationAgents MetaGPT up to 0.8.1. This vulnerability affects the function ActionNode.xml_fill of the file metagpt/actions/action_node.py of the component XML Handler. Executing a manipulation can lead to improper neutralization of directives in dynamically evaluated code. The attack may be launched remotely. The exploit has been published and may be used. The project was informed of the problem early through a pull request but has not reacted yet.
AnalysisAI
Remote code injection in FoundationAgents MetaGPT up to version 0.8.1 allows unauthenticated attackers to execute arbitrary code via improper neutralization of directives in the ActionNode.xml_fill XML handler function. The vulnerability has publicly available exploit code and affects the dynamic code evaluation mechanism in metagpt/actions/action_node.py, enabling attackers to manipulate XML input for code injection with low complexity and no authentication required.
Technical ContextAI
The vulnerability stems from CWE-95 (Improper Neutralization of Directives in Dynamically Evaluated Code), which occurs when untrusted input is used in dynamic code evaluation without proper sanitization. In MetaGPT, the ActionNode.xml_fill function in the XML Handler component processes XML data that is subsequently evaluated as code. The affected CPE (cpe:2.3:a:foundationagents:metagpt:*:*:*:*:*:*:*:*) indicates all versions up to 0.8.1 are vulnerable. The XML parsing mechanism fails to neutralize malicious directives embedded in XML attributes or content, allowing attackers to inject code that will be executed within the application's Python interpreter context.
RemediationAI
No vendor-released patch identified at time of analysis. The project was notified early through GitHub pull request but has not yet implemented or released a fix. Users should monitor the official MetaGPT repository (https://github.com/FoundationAgents/MetaGPT) for security updates. As an interim mitigation, implement strict input validation and sanitization for all XML data fed to the ActionNode.xml_fill function, restrict network access to MetaGPT instances if operationally feasible, and consider running MetaGPT in isolated or sandboxed environments to limit the impact of potential code injection. Review GitHub issues #1928 and #1956 for community-proposed mitigations until an official patch is released.
MetaGPT through 0.6.4 allows the QaEngineer role to execute arbitrary code because RunCode.run_script() passes shell met
MetaGPT has a code injection vulnerability in actionoutput_str_to_mapping (EPSS 2.6%) allowing remote attackers to execu
MetaGPT by Foundation Agents has an insecure deserialization in deserialize_message (EPSS 1.7%) enabling remote code exe
Remote command injection in FoundationAgents MetaGPT versions 0.8.0 and 0.8.1 via the get_mime_type function in metagpt/
Remote code execution in FoundationAgents MetaGPT up to version 0.8.1 allows unauthenticated attackers to execute arbitr
Code injection in FoundationAgents MetaGPT versions up to 0.8.1 allows unauthenticated remote attackers to execute arbit
Code injection in FoundationAgents MetaGPT versions up to 0.8.1 allows unauthenticated remote attackers to execute arbit
Remote command injection in FoundationAgents MetaGPT versions up to 0.8.1 allows unauthenticated network attackers to ex
Server-side request forgery (SSRF) in FoundationAgents MetaGPT up to version 0.8.1 allows authenticated remote attackers
A code injection vulnerability exists in Foundation Agents MetaGPT up to version 0.8.1, specifically in the DataInterpre
A code injection vulnerability exists in Foundation Agents MetaGPT versions up to 0.8.1 within the code_generate functio
Cross-site request forgery in FoundationAgents MetaGPT through version 0.8.1 allows unauthenticated remote attackers to
Same weakness CWE-95 – Eval Injection
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-21004
GHSA-3ghp-8r47-4gj4