CVE-2026-5972 | Mend Vulnerability Database

Vulnerability DatabaseCVE-2026-5972

CVE-2026-5972

Published:April 09, 2026

Updated:May 16, 2026

A vulnerability has been found in FoundationAgents MetaGPT up to 0.8.1. This issue affects the function Terminal.run_command in the library metagpt/tools/libs/terminal.py. The manipulation leads to os command injection. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. The identifier of the patch is d04ffc8dc67903e8b327f78ec121df5e190ffc7b. Applying a patch is the recommended action to fix this issue.

Affected Packages

metagpt (PYTHON):

Affected version(s) >=0.1 <0.8.2

Fix Suggestion:

Update to version 0.8.2

Related Resources (8)

https://github.com/paipeline/MetaGPT/commit/d04ffc8dc67903e8b327f78ec121df5e190ffc7b

https://vuldb.com/submit/791745

https://github.com/FoundationAgents/MetaGPT

https://nvd.nist.gov/vuln/detail/CVE-2026-5972

https://vuldb.com/vuln/356526

https://github.com/FoundationAgents/MetaGPT/

https://github.com/FoundationAgents/MetaGPT/issues/1929

https://vuldb.com/vuln/356526/cti

Do you need more information?

CVSS v4

Base Score:

5.5

Attack Vector

NETWORK

Attack Complexity

LOW

Attack Requirements

NONE

Privileges Required

NONE

User Interaction

NONE

Vulnerable System Confidentiality

LOW

Vulnerable System Integrity

LOW

Vulnerable System Availability

LOW

Subsequent System Confidentiality

NONE

Subsequent System Integrity

NONE

Subsequent System Availability

NONE

Exploit Maturity

POC

CVSS v3

Base Score:

7.3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

LOW

Integrity

LOW

Availability

LOW

Exploit Maturity

PROOF-OF-CONCEPT

Weakness Type (CWE)

Improper Neutralization of Special Elements used in a Command ('Command Injection')

CWE-77

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

CWE-78

EPSS

Base Score:

0.40