Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
9DescriptionCVE.org
A vulnerability was identified in FoundationAgents MetaGPT up to 0.8.1. This affects the function generate_thoughts of the file metagpt/strategy/tot.py of the component Tree-of-Thought Solver. The manipulation leads to code injection. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet.
AnalysisAI
Code injection in FoundationAgents MetaGPT versions up to 0.8.1 allows unauthenticated remote attackers to execute arbitrary code via the Tree-of-Thought Solver's generate_thoughts function. Publicly available exploit code exists (GitHub issue #1933), and a vendor-supplied patch is available via pull request #1946. The vulnerability requires no user interaction and has low attack complexity, with confirmed impact to confidentiality, integrity, and availability. CVSS 7.3 (High) reflects moderate impact across all CIA triad elements.
Technical ContextAI
MetaGPT is an AI agent framework that implements advanced reasoning patterns including Tree-of-Thought (ToT) solving. The vulnerable function generate_thoughts in metagpt/strategy/tot.py (CWE-94: Improper Control of Generation of Code) accepts externally-influenced input that is dynamically evaluated or executed without adequate sanitization. Tree-of-Thought is a cognitive framework for LLM reasoning that explores multiple solution paths; the implementation flaw allows attackers to inject malicious code into the thought generation process. The affected CPE (cpe:2.3:a:foundationagents:metagpt) indicates all versions through 0.8.1 contain this flaw. Code injection vulnerabilities of this class typically arise from unsafe use of eval(), exec(), or similar dynamic code execution primitives on attacker-controlled data.
RemediationAI
Apply the vendor-supplied patch available via GitHub pull request at https://github.com/FoundationAgents/MetaGPT/pull/1946, which addresses the code injection vulnerability in the Tree-of-Thought solver. Organizations should review the PR changes, test compatibility with existing workflows, and upgrade to a version incorporating this fix once officially released. Until a tagged release version incorporating PR #1946 is available, development teams may apply the patch manually or build from the patched source branch. As an interim mitigation, restrict network access to MetaGPT instances, implement input validation on any data passed to the Tree-of-Thought solver, and monitor for suspicious code execution patterns. Consider disabling the ToT strategy module entirely if not operationally required. Consult the vendor issue tracker at https://github.com/FoundationAgents/MetaGPT/issues/1933 for updates on formal release timelines.
MetaGPT through 0.6.4 allows the QaEngineer role to execute arbitrary code because RunCode.run_script() passes shell met
MetaGPT has a code injection vulnerability in actionoutput_str_to_mapping (EPSS 2.6%) allowing remote attackers to execu
MetaGPT by Foundation Agents has an insecure deserialization in deserialize_message (EPSS 1.7%) enabling remote code exe
Remote command injection in FoundationAgents MetaGPT versions 0.8.0 and 0.8.1 via the get_mime_type function in metagpt/
Remote code execution in FoundationAgents MetaGPT up to version 0.8.1 allows unauthenticated attackers to execute arbitr
Remote code injection in FoundationAgents MetaGPT up to version 0.8.1 allows unauthenticated attackers to execute arbitr
Code injection in FoundationAgents MetaGPT versions up to 0.8.1 allows unauthenticated remote attackers to execute arbit
Remote command injection in FoundationAgents MetaGPT versions up to 0.8.1 allows unauthenticated network attackers to ex
Server-side request forgery (SSRF) in FoundationAgents MetaGPT up to version 0.8.1 allows authenticated remote attackers
A code injection vulnerability exists in Foundation Agents MetaGPT up to version 0.8.1, specifically in the DataInterpre
A code injection vulnerability exists in Foundation Agents MetaGPT versions up to 0.8.1 within the code_generate functio
Cross-site request forgery in FoundationAgents MetaGPT through version 0.8.1 allows unauthenticated remote attackers to
Same weakness CWE-94 – Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-21696
GHSA-xr7v-m9px-q4qj