CVE-2026-5972CRITICAL 9.8EPSS p81.3%

CVE-2026-5972CVE-2026-5972

Description

A vulnerability has been found in FoundationAgents MetaGPT up to 0.8.1. This issue affects the function Terminal.run_command in the library metagpt/tools/libs/terminal.py. The manipulation leads to os command injection. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. The identifier of the patch is d04ffc8dc67903e8b327f78ec121df5e190ffc7b. Applying a patch is the recommended action to fix this issue.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS2.33% probability of exploitation · percentile 81.3% · 2026-06-19T12:03:05Z
Published2026-04-09
Last modified2026-04-29

Underlying weaknesses· 2

CWE-77CWE-78

References

  1. https://github.com/FoundationAgents/MetaGPT/
  2. https://github.com/FoundationAgents/MetaGPT/issues/1929
  3. https://github.com/paipeline/MetaGPT/commit/d04ffc8dc67903e8b327f78ec121df5e190ffc7b
  4. https://vuldb.com/submit/791745
  5. https://vuldb.com/vuln/356526
  6. https://vuldb.com/vuln/356526/cti

2

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Special Elements used in a Command ('Command Injection')cwe-770%live
WeaknessImproper Neutralization of Special Elements used in an OS Command ('OS Command Injection')cwe-780%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-5974
CVE
CVE-2026-5973
CVE
CVE-2026-5970
CVE
CVE-2026-5971
CVE
CVE-2026-6110
CVE
CVE-2026-11455
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.