CVE-2026-5971

HIGH

A flaw has been found in FoundationAgents MetaGPT up to 0.8.1. This vulnerability affects the function ActionNode.xml_fill of the file metagpt/actions/action_node.py of the component XML Handler. Executing a manipulation can lead to improper neutralization of directives in dynamically evaluated code. The attack may be launched remotely. The exploit has been published and may be used. The project was informed of the problem early through a pull request but has not reacted yet.

CVSS v3.1 Score

7.3
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
NETWORK
Complexity
LOW
Privileges
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
LOW
Integrity
LOW
Availability
LOW
Published: 4/9/2026Modified: 4/29/2026

Related Intelligence (0)

No articles currently reference this CVE.

References (6)

https://github.com/FoundationAgents/MetaGPT/Producthttps://github.com/FoundationAgents/MetaGPT/issues/1928Issue TrackingExploithttps://github.com/FoundationAgents/MetaGPT/issues/1956Issue Trackinghttps://vuldb.com/submit/791734ExploitThird Party Advisoryhttps://vuldb.com/vuln/356525Third Party AdvisoryVDB Entryhttps://vuldb.com/vuln/356525/ctiPermissions RequiredVDB Entry