Is there a public PoC exploit available for EUVD-2026-21694?

Yes, a public proof-of-concept exploit is available for EUVD-2026-21694. Prioritise patching immediately. EPSS: 0.0%.

Metagpt EUVD-2026-21694

Q: What is the CVSS score of EUVD-2026-21694?

EUVD-2026-21694 has a CVSS 4.0 base score of 2.1 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

| CVE-2026-6109 LOW

Cross-Site Request Forgery (CSRF) (CWE-352)

2026-04-12 VulDB

GHSA-w287-wwhf-95vv

CSRF Metagpt

2.1

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

2.1 LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Scope

Lifecycle Timeline

PoC Detected

Apr 29, 2026 - 18:46 vuln.today

Public exploit code

Severity Changed

Apr 29, 2026 - 01:11 NVD

MEDIUM LOW

CVSS changed

Apr 29, 2026 - 01:11 NVD

5.3 (MEDIUM) 2.1 (LOW)

CVSS changed

Apr 12, 2026 - 02:22 NVD

4.3 (MEDIUM) 5.3 (MEDIUM)

Analysis Generated

Apr 12, 2026 - 01:47 vuln.today

EUVD ID Assigned

Apr 12, 2026 - 01:45 euvd

EUVD-2026-21694

Analysis Generated

Apr 12, 2026 - 01:45 vuln.today

CVE Published

Apr 12, 2026 - 01:30 nvd

LOW 2.1

DescriptionCVE.org

A vulnerability was determined in FoundationAgents MetaGPT up to 0.8.1. The impacted element is the function evaluateCode of the file metagpt/environment/minecraft/mineflayer/index.js of the component Mineflayer HTTP API. Executing a manipulation can lead to cross-site request forgery. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet.

AnalysisAI

Cross-site request forgery in FoundationAgents MetaGPT through version 0.8.1 allows unauthenticated remote attackers to perform unauthorized actions via the evaluateCode function in the Mineflayer HTTP API component. The vulnerability requires user interaction (UI:R) and has limited integrity impact, but publicly available exploit code exists and the vendor has not yet responded to early notification.

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Attacker crafts malicious web page

Delivery

User visits page while authenticated to MetaGPT

Exploit

Browser sends forged CSRF request to Mineflayer API

Execution

evaluateCode function processes request without token validation

Impact

Attacker-controlled code executes with user privileges