Is there a patch available for CVE-2026-5974?

Yes, a patch is available for CVE-2026-5974. Update the affected software to the latest version immediately.

Metagpt CVE-2026-5974

Q: What is the CVSS score of CVE-2026-5974?

CVE-2026-5974 has a CVSS 4.0 base score of 6.9 (Medium). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.8%.

EUVD-2026-21072 MEDIUM

OS Command Injection (CWE-78)

2026-04-09 VulDB

GHSA-fcc8-4q7h-wvwc

Command Injection Metagpt

6.9

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

6.9 MEDIUM

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

EUVD ID Assigned

Apr 09, 2026 - 20:15 euvd

EUVD-2026-21072

Analysis Generated

Apr 09, 2026 - 20:15 vuln.today

Patch released

Apr 09, 2026 - 20:15 nvd

Patch available

CVE Published

Apr 09, 2026 - 19:30 nvd

MEDIUM 6.9

DescriptionCVE.org

A vulnerability was determined in FoundationAgents MetaGPT up to 0.8.1. The affected element is the function Bash.run in the library metagpt/tools/libs/terminal.py. This manipulation causes os command injection. The attack is possible to be carried out remotely. The project was informed of the problem early through a pull request but has not reacted yet.

AnalysisAI

Remote command injection in FoundationAgents MetaGPT versions up to 0.8.1 allows unauthenticated network attackers to execute arbitrary OS commands via the Bash.run function in metagpt/tools/libs/terminal.py. The vulnerability has a CVSS score of 6.9 with network-accessible attack vector and low complexity, and matches CISA SSVC criteria for partial technical impact with automatable exploitation; a proof-of-concept exists but no confirmed active exploitation has been reported.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment	This vulnerability presents a moderate-to-elevated real-world risk despite the 6.9 CVSS score. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker gains access to a MetaGPT instance exposed on a network (either directly or via a web API wrapper) and crafts a malicious request containing OS command injection payloads in parameters passed to the Bash.run function. For example, a request with a crafted filename or command argument like `test.txt; rm -rf /` or `$(malicious_command)` would execute the injected command on the underlying system with the privileges of the MetaGPT process. …
Remediation	Vendor-released patch status is listed as available; however, the specific patched version number is not independently confirmed from the provided data. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-5974 vulnerability details – vuln.today

Back