Is there a public PoC exploit available for EUVD-2026-21698?

Yes, a public proof-of-concept exploit is available for EUVD-2026-21698. Prioritise patching immediately. EPSS: 0.0%.

Is there a patch available for EUVD-2026-21698?

Yes, a patch is available for EUVD-2026-21698. Update the affected software to the latest version immediately.

Metagpt EUVD-2026-21698

Q: What is the CVSS score of EUVD-2026-21698?

EUVD-2026-21698 has a CVSS 4.0 base score of 2.1 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

| CVE-2026-6111 LOW

Server-Side Request Forgery (SSRF) (CWE-918)

2026-04-12 VulDB

GHSA-r5v8-c28h-f8r8

SSRF Metagpt

2.1

CVSS 4.0 · NVD

Severity by source

NVD PRIMARY

2.1 LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

PoC Detected

Apr 30, 2026 - 14:49 vuln.today

Public exploit code

Severity Changed

Apr 29, 2026 - 01:11 NVD

MEDIUM LOW

CVSS changed

Apr 29, 2026 - 01:11 NVD

5.3 (MEDIUM) 2.1 (LOW)

CVSS changed

Apr 12, 2026 - 03:22 NVD

6.3 (MEDIUM) 5.3 (MEDIUM)

Analysis Generated

Apr 12, 2026 - 02:49 vuln.today

EUVD ID Assigned

Apr 12, 2026 - 02:45 euvd

EUVD-2026-21698

Analysis Generated

Apr 12, 2026 - 02:45 vuln.today

Patch released

Apr 12, 2026 - 02:45 nvd

Patch available

CVE Published

Apr 12, 2026 - 02:30 nvd

LOW 2.1

DescriptionCVE.org

A security flaw has been discovered in FoundationAgents MetaGPT up to 0.8.1. This impacts the function decode_image of the file metagpt/utils/common.py. The manipulation of the argument img_url_or_b64 results in server-side request forgery. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

AnalysisAI

Server-side request forgery (SSRF) in FoundationAgents MetaGPT up to version 0.8.1 allows authenticated remote attackers to conduct arbitrary requests via manipulation of the img_url_or_b64 parameter in the decode_image function of metagpt/utils/common.py. Publicly available exploit code exists, and a vendor patch has been released. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Obtain authenticated credentials or session

Delivery

Craft malicious img_url_or_b64 parameter pointing to internal resource

Exploit

Submit request to image processing endpoint

Execution

Server issues SSRF request to attacker-controlled target

Impact

Exfiltrate sensitive data or enumerate internal services