Metagpt

A command injection vulnerability exists in FoundationAgents MetaGPT version 0.8.1 affecting the Bash.run function, enabling remote attackers to execute arbitrary OS commands via crafted input.

A remote command injection vulnerability exists in FoundationAgents MetaGPT <= 0.8.1 via the Terminal.run_command function, allowing unauthenticated attackers to execute arbitrary OS commands.

A code injection vulnerability, CVE-2026-5970, exists in FoundationAgents MetaGPT up to version 0.8.1, allowing remote attackers to execute arbitrary code via manipulation of the `check_solution` function in the HumanEvalBenchmark/MBPPBenchmark component.

A code injection vulnerability exists in FoundationAgents MetaGPT <= 0.8.1 within the ActionNode.xml_fill function, allowing remote attackers to inject code due to improper neutralization of directives in dynamically evaluated code.