CVE-2026-5974
FoundationAgents MetaGPT terminal.py Bash.run os command injection
CVSS Score
7.3
EPSS Score
0.0%
EPSS Percentile
0th
A vulnerability was determined in FoundationAgents MetaGPT up to 0.8.1. The affected element is the function Bash.run in the library metagpt/tools/libs/terminal.py. This manipulation causes os command injection. The attack is possible to be carried out remotely. The project was informed of the problem early through a pull request but has not reacted yet.
| CWE | CWE-78 CWE-77 |
| Vendor | foundationagents |
| Product | metagpt |
| Published | Apr 9, 2026 |
| Last Updated | Apr 9, 2026 |
Stay Ahead of the Next One
Get instant alerts for foundationagents metagpt
Be the first to know when new high vulnerabilities affecting foundationagents metagpt are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:R Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Affected Versions
FoundationAgents / MetaGPT
0.8.0 0.8.1
References
vuldb.com: https://vuldb.com/vuln/356528 vuldb.com: https://vuldb.com/vuln/356528/cti vuldb.com: https://vuldb.com/submit/791758 github.com: https://github.com/FoundationAgents/MetaGPT/issues/1931 github.com: https://github.com/FoundationAgents/MetaGPT/pull/1940 github.com: https://github.com/FoundationAgents/MetaGPT/
Credits
๐ Eric-d (VulDB User) VulDB CNA Team