Skip to main content

Metagpt CVE-2026-5971

| EUVDEUVD-2026-21004 MEDIUM
Eval Injection (CWE-95)
2026-04-09 VulDB GHSA-3ghp-8r47-4gj4
5.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
CVSS changed
Apr 29, 2026 - 01:11 NVD
6.9 (MEDIUM) 5.5 (MEDIUM)
PoC Detected
Apr 09, 2026 - 18:17 vuln.today
Public exploit code
EUVD ID Assigned
Apr 09, 2026 - 18:15 euvd
EUVD-2026-21004
Analysis Generated
Apr 09, 2026 - 18:15 vuln.today
CVE Published
Apr 09, 2026 - 18:00 nvd
MEDIUM 6.9

DescriptionCVE.org

A flaw has been found in FoundationAgents MetaGPT up to 0.8.1. This vulnerability affects the function ActionNode.xml_fill of the file metagpt/actions/action_node.py of the component XML Handler. Executing a manipulation can lead to improper neutralization of directives in dynamically evaluated code. The attack may be launched remotely. The exploit has been published and may be used. The project was informed of the problem early through a pull request but has not reacted yet.

AnalysisAI

Remote code injection in FoundationAgents MetaGPT up to version 0.8.1 allows unauthenticated attackers to execute arbitrary code via improper neutralization of directives in the ActionNode.xml_fill XML handler function. The vulnerability has publicly available exploit code and affects the dynamic code evaluation mechanism in metagpt/actions/action_node.py, enabling attackers to manipulate XML input for code injection with low complexity and no authentication required.

Technical ContextAI

The vulnerability stems from CWE-95 (Improper Neutralization of Directives in Dynamically Evaluated Code), which occurs when untrusted input is used in dynamic code evaluation without proper sanitization. In MetaGPT, the ActionNode.xml_fill function in the XML Handler component processes XML data that is subsequently evaluated as code. The affected CPE (cpe:2.3:a:foundationagents:metagpt:*:*:*:*:*:*:*:*) indicates all versions up to 0.8.1 are vulnerable. The XML parsing mechanism fails to neutralize malicious directives embedded in XML attributes or content, allowing attackers to inject code that will be executed within the application's Python interpreter context.

RemediationAI

No vendor-released patch identified at time of analysis. The project was notified early through GitHub pull request but has not yet implemented or released a fix. Users should monitor the official MetaGPT repository (https://github.com/FoundationAgents/MetaGPT) for security updates. As an interim mitigation, implement strict input validation and sanitization for all XML data fed to the ActionNode.xml_fill function, restrict network access to MetaGPT instances if operationally feasible, and consider running MetaGPT in isolated or sandboxed environments to limit the impact of potential code injection. Review GitHub issues #1928 and #1956 for community-proposed mitigations until an official patch is released.

CVE-2024-23750 HIGH POC
8.8 Jan 22

MetaGPT through 0.6.4 allows the QaEngineer role to execute arbitrary code because RunCode.run_script() passes shell met

CVE-2026-0761 CRITICAL
9.8 Jan 23

MetaGPT has a code injection vulnerability in actionoutput_str_to_mapping (EPSS 2.6%) allowing remote attackers to execu

CVE-2026-0760 CRITICAL
9.8 Jan 23

MetaGPT by Foundation Agents has an insecure deserialization in deserialize_message (EPSS 1.7%) enabling remote code exe

CVE-2026-5973 MEDIUM POC
5.5 Apr 09

Remote command injection in FoundationAgents MetaGPT versions 0.8.0 and 0.8.1 via the get_mime_type function in metagpt/

CVE-2026-5972 MEDIUM POC
5.5 Apr 09

Remote code execution in FoundationAgents MetaGPT up to version 0.8.1 allows unauthenticated attackers to execute arbitr

CVE-2026-6110 MEDIUM POC
5.5 Apr 12

Code injection in FoundationAgents MetaGPT versions up to 0.8.1 allows unauthenticated remote attackers to execute arbit

CVE-2026-5970 MEDIUM POC
5.5 Apr 09

Code injection in FoundationAgents MetaGPT versions up to 0.8.1 allows unauthenticated remote attackers to execute arbit

CVE-2026-5974 MEDIUM
6.9 Apr 09

Remote command injection in FoundationAgents MetaGPT versions up to 0.8.1 allows unauthenticated network attackers to ex

CVE-2026-6111 LOW POC
2.1 Apr 12

Server-side request forgery (SSRF) in FoundationAgents MetaGPT up to version 0.8.1 allows authenticated remote attackers

CVE-2026-4516 LOW POC
2.1 Mar 21

A code injection vulnerability exists in Foundation Agents MetaGPT up to version 0.8.1, specifically in the DataInterpre

CVE-2026-4515 LOW POC
2.1 Mar 21

A code injection vulnerability exists in Foundation Agents MetaGPT versions up to 0.8.1 within the code_generate functio

CVE-2026-6109 LOW POC
2.1 Apr 12

Cross-site request forgery in FoundationAgents MetaGPT through version 0.8.1 allows unauthenticated remote attackers to

Share

CVE-2026-5971 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy