CVE-2026-5971

Exploit

EPSS 0.39%
Veröffentlicht 09.04.2026 18:17:04
Zuletzt bearbeitet 29.04.2026 19:45:53
Quelle cna@vuldb.com
CVE-Watchlists
Login
Unerledigt
Login

FoundationAgents MetaGPT XML action_node.py ActionNode.xml_fill eval injection

A flaw has been found in FoundationAgents MetaGPT up to 0.8.1. This vulnerability affects the function ActionNode.xml_fill of the file metagpt/actions/action_node.py of the component XML Handler. Executing a manipulation can lead to improper neutralization of directives in dynamically evaluated code. The attack may be launched remotely. The exploit has been published and may be used. The project was informed of the problem early through a pull request but has not reacted yet.

Betroffene Produkte Warnungen 0 Metriken 5 CWE 2 Referenzen 9

NVD 1 VulnDex Vulnerability Enrichment 0

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Deepwisdom ≫ Metagpt Version <= 0.8.1

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.39%	0.303

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	9.8	3.9	5.9	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
cna@vuldb.com	5.5	0	0	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
cna@vuldb.com	7.3	3.9	3.4	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
cna@vuldb.com	7.5	10	6.4	AV:N/AC:L/Au:N/C:P/I:P/A:P

CWE-94 Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

CWE-95 Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection')

The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").

https://github.com/FoundationAgents/MetaGPT/

Product

https://github.com/FoundationAgents/MetaGPT/issues/1928

Exploit

Issue Tracking

https://github.com/FoundationAgents/MetaGPT/issues/1956

Issue Tracking

https://vuldb.com/submit/791734

Third Party Advisory

Exploit

VDB Entry

https://vuldb.com/vuln/356525

Third Party Advisory

VDB Entry

https://vuldb.com/vuln/356525/cti

VDB Entry

Permissions Required

https://nvd.nist.gov/vuln/detail/CVE-2026-5971

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-5971

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-5971

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-5971