{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/metagpt/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-5974"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["command-injection","metagpt","cve-2026-5974"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA critical command injection vulnerability, tracked as CVE-2026-5974, has been identified in FoundationAgents MetaGPT up to version 0.8.1. The vulnerability resides within the \u003ccode\u003eBash.run\u003c/code\u003e function located in the \u003ccode\u003emetagpt/tools/libs/terminal.py\u003c/code\u003e library. An attacker can exploit this flaw by injecting malicious commands into the \u003ccode\u003eBash.run\u003c/code\u003e function, leading to arbitrary OS command execution on the target system. The vulnerability is remotely exploitable, posing a significant risk. Although the developers were notified via a pull request, no patch has been released as of the publication of this brief. This vulnerability could be exploited to gain unauthorized access, escalate privileges, or compromise the entire system.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a MetaGPT instance running version 0.8.1 or earlier.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious input string containing OS commands.\u003c/li\u003e\n\u003cli\u003eThis malicious string is passed to the \u003ccode\u003eBash.run\u003c/code\u003e function in \u003ccode\u003emetagpt/tools/libs/terminal.py\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eDue to insufficient input validation, the injected commands are not properly neutralized.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eBash.run\u003c/code\u003e function executes the injected OS commands using the underlying operating system\u0026rsquo;s shell.\u003c/li\u003e\n\u003cli\u003eThe attacker gains the ability to execute arbitrary code on the server.\u003c/li\u003e\n\u003cli\u003eThe attacker could then install malware, create new user accounts, or exfiltrate sensitive data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability could allow an attacker to execute arbitrary operating system commands on the server hosting the vulnerable MetaGPT instance. This could lead to complete system compromise, including data theft, malware installation, and denial-of-service attacks. Due to the nature of command injection, the impact is highly dependent on the privileges of the user account running the MetaGPT application.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply input validation and sanitization to the \u003ccode\u003eBash.run\u003c/code\u003e function in the \u003ccode\u003emetagpt/tools/libs/terminal.py\u003c/code\u003e library to prevent command injection (CVE-2026-5974).\u003c/li\u003e\n\u003cli\u003eMonitor process creations for unusual commands executed by the MetaGPT application (see Sigma rule \u0026ldquo;Detect Suspicious MetaGPT Bash.run Execution\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eDeploy a web application firewall (WAF) to filter out potentially malicious payloads being sent to the MetaGPT application.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-09T20:16:29Z","date_published":"2026-04-09T20:16:29Z","id":"/briefs/2026-04-metagpt-cmd-injection/","summary":"A command injection vulnerability exists in FoundationAgents MetaGPT version 0.8.1 affecting the Bash.run function, enabling remote attackers to execute arbitrary OS commands via crafted input.","title":"MetaGPT Bash.run Command Injection Vulnerability (CVE-2026-5974)","url":"https://feed.craftedsignal.io/briefs/2026-04-metagpt-cmd-injection/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-5972"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["critical"],"_cs_tags":["CVE-2026-5972","command-injection","metagpt"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-5972 describes a critical OS command injection vulnerability affecting FoundationAgents MetaGPT versions up to 0.8.1. The vulnerability resides in the \u003ccode\u003eTerminal.run_command\u003c/code\u003e function within the \u003ccode\u003emetagpt/tools/libs/terminal.py\u003c/code\u003e file. This flaw allows remote attackers to inject and execute arbitrary operating system commands on the affected system. The vulnerability is remotely exploitable, meaning that attackers can trigger it over a network without requiring local access. Public exploits for this vulnerability are available, increasing the risk of widespread exploitation. The patch identified as \u003ccode\u003ed04ffc8dc67903e8b327f78ec121df5e190ffc7b\u003c/code\u003e addresses this vulnerability and upgrading to a patched version is highly recommended.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a vulnerable MetaGPT instance running a version \u0026lt;= 0.8.1.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious request targeting the \u003ccode\u003eTerminal.run_command\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe malicious request contains an OS command injection payload within the input parameters expected by \u003ccode\u003eTerminal.run_command\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eMetaGPT processes the request, passing the attacker-controlled input to the underlying operating system\u0026rsquo;s command interpreter without proper sanitization.\u003c/li\u003e\n\u003cli\u003eThe operating system executes the injected command as part of the MetaGPT process, granting the attacker code execution within the server environment.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the initial foothold to escalate privileges, potentially gaining root access or compromising other services on the system.\u003c/li\u003e\n\u003cli\u003eThe attacker may then install malware, establish persistence, or exfiltrate sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, which could include data theft, denial of service, or complete system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows remote attackers to execute arbitrary commands on the affected system. This can lead to complete system compromise, including data theft, malware installation, and denial of service. Given the publicly available exploit, unpatched MetaGPT instances are at immediate risk. The vulnerability has a CVSS v3.1 score of 7.3, indicating a high level of severity. The number of victims and sectors targeted is currently unknown, but given the nature of the vulnerability, any organization using MetaGPT is potentially at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch \u003ccode\u003ed04ffc8dc67903e8b327f78ec121df5e190ffc7b\u003c/code\u003e provided by FoundationAgents to remediate the vulnerability.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious requests targeting the MetaGPT application, specifically those containing command injection attempts (cs-uri-query, cs-method, sc-status).\u003c/li\u003e\n\u003cli\u003eImplement the provided Sigma rule to detect command execution originating from the MetaGPT application (logsource).\u003c/li\u003e\n\u003cli\u003eReview network traffic for unusual outbound connections originating from MetaGPT servers, which could indicate successful exploitation and malware installation (category: network_connection).\u003c/li\u003e\n\u003cli\u003eEnable and review process creation logs on MetaGPT servers to identify any unexpected child processes spawned by the MetaGPT application, as this could indicate command injection exploitation (category: process_creation).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-09T20:16:28Z","date_published":"2026-04-09T20:16:28Z","id":"/briefs/2026-04-metagpt-command-injection/","summary":"A remote command injection vulnerability exists in FoundationAgents MetaGPT \u003c= 0.8.1 via the Terminal.run_command function, allowing unauthenticated attackers to execute arbitrary OS commands.","title":"MetaGPT OS Command Injection Vulnerability (CVE-2026-5972)","url":"https://feed.craftedsignal.io/briefs/2026-04-metagpt-command-injection/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-5970"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["code-injection","metagpt","cve-2026-5970"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eCVE-2026-5970 is a critical vulnerability affecting FoundationAgents MetaGPT, a framework for multi-agent systems, up to version 0.8.1. The vulnerability resides within the \u003ccode\u003echeck_solution\u003c/code\u003e function of the \u003ccode\u003eHumanEvalBenchmark/MBPPBenchmark\u003c/code\u003e component. This flaw enables a remote attacker to inject and execute arbitrary code by manipulating input parameters. The vulnerability has been publicly disclosed and exploits are readily available. The maintainers of the MetaGPT project were notified via pull request but have not yet addressed the issue, increasing the risk to users of affected versions. Successful exploitation could lead to complete system compromise.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable MetaGPT instance running a version \u0026lt;= 0.8.1.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious input designed to exploit the \u003ccode\u003echeck_solution\u003c/code\u003e function within the \u003ccode\u003eHumanEvalBenchmark/MBPPBenchmark\u003c/code\u003e component.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted input to the MetaGPT instance, potentially via a network request or other remote interface.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003echeck_solution\u003c/code\u003e function processes the malicious input without proper sanitization.\u003c/li\u003e\n\u003cli\u003eThe lack of input sanitization allows the attacker to inject arbitrary code.\u003c/li\u003e\n\u003cli\u003eThe injected code is then executed within the context of the MetaGPT application.\u003c/li\u003e\n\u003cli\u003eDepending on the privileges of the MetaGPT process, the attacker can gain control of the system or access sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker may use this initial access to pivot to other systems within the network, install malware, or exfiltrate data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-5970 allows remote attackers to execute arbitrary code on systems running vulnerable versions of FoundationAgents MetaGPT. This can lead to complete system compromise, data breaches, and further malicious activities within the compromised environment. Given the nature of MetaGPT, this could potentially affect development environments, CI/CD pipelines, or even production systems where the framework is utilized, leading to significant financial and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to a patched version of MetaGPT as soon as one becomes available.\u003c/li\u003e\n\u003cli\u003eMonitor network traffic for suspicious activity targeting MetaGPT instances, using network connection logs.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization measures within the \u003ccode\u003echeck_solution\u003c/code\u003e function (if possible as a temporary mitigation) to prevent code injection.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule below to detect attempts to exploit this vulnerability based on suspicious process creation related to MetaGPT.\u003c/li\u003e\n\u003cli\u003eReview and restrict network access to MetaGPT instances to minimize the attack surface.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-09T18:17:04Z","date_published":"2026-04-09T18:17:04Z","id":"/briefs/2026-04-metagpt-code-injection/","summary":"A code injection vulnerability, CVE-2026-5970, exists in FoundationAgents MetaGPT up to version 0.8.1, allowing remote attackers to execute arbitrary code via manipulation of the `check_solution` function in the HumanEvalBenchmark/MBPPBenchmark component.","title":"MetaGPT Code Injection Vulnerability (CVE-2026-5970)","url":"https://feed.craftedsignal.io/briefs/2026-04-metagpt-code-injection/"},{"_cs_actors":[],"_cs_cves":[{"cvss":7.3,"id":"CVE-2026-5971"}],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["code-injection","vulnerability","metagpt","CVE-2026-5971"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eA code injection vulnerability, identified as CVE-2026-5971, has been discovered in FoundationAgents MetaGPT versions up to 0.8.1. The vulnerability resides in the \u003ccode\u003eActionNode.xml_fill\u003c/code\u003e function within the \u003ccode\u003emetagpt/actions/action_node.py\u003c/code\u003e file, specifically related to the XML Handler component. This flaw allows a remote attacker to inject malicious code by exploiting improper neutralization of directives in dynamically evaluated code. A proof-of-concept exploit is publicly available, increasing the likelihood of exploitation. The project maintainers were notified of the vulnerability via a pull request but have not yet addressed the issue. This poses a significant risk to systems using vulnerable versions of MetaGPT, especially those exposed to untrusted input.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a MetaGPT instance running a vulnerable version (\u0026lt;= 0.8.1).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts malicious XML input designed to exploit the \u003ccode\u003eActionNode.xml_fill\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the malicious XML to the MetaGPT instance through a network request, likely via an API endpoint.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eActionNode.xml_fill\u003c/code\u003e function processes the malicious XML, failing to properly neutralize directives.\u003c/li\u003e\n\u003cli\u003eThe injected code is dynamically evaluated within the MetaGPT environment.\u003c/li\u003e\n\u003cli\u003eThe attacker gains arbitrary code execution within the MetaGPT process, potentially escalating privileges.\u003c/li\u003e\n\u003cli\u003eThe attacker leverages the code execution to compromise the system, potentially gaining access to sensitive data.\u003c/li\u003e\n\u003cli\u003eThe attacker exfiltrates sensitive data or causes other damage based on their objectives.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-5971 can lead to arbitrary code execution on systems running vulnerable versions of FoundationAgents MetaGPT (\u0026lt;= 0.8.1). This could allow attackers to steal sensitive information, modify system configurations, install malware, or disrupt services. The availability of a public exploit increases the likelihood of widespread attacks targeting vulnerable systems. The specific number of potential victims and targeted sectors are currently unknown, but any system running MetaGPT and processing potentially malicious XML input is at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply any available patches or updates for FoundationAgents MetaGPT to address CVE-2026-5971 as soon as they are released.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization measures to prevent malicious XML from being processed by the \u003ccode\u003eActionNode.xml_fill\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for suspicious activity related to XML processing, such as unusual requests or errors. Deploy the Sigma rule \u003ccode\u003eDetect MetaGPT XML Injection Attempt\u003c/code\u003e to identify potential exploit attempts based on HTTP request characteristics.\u003c/li\u003e\n\u003cli\u003eEnable process monitoring to detect suspicious processes spawned by MetaGPT, especially those with network connections. Deploy the Sigma rule \u003ccode\u003eDetect MetaGPT Suspicious Child Processes\u003c/code\u003e to identify potential post-exploitation activity.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-09T18:17:04Z","date_published":"2026-04-09T18:17:04Z","id":"/briefs/2024-01-29-metagpt-code-injection/","summary":"A code injection vulnerability exists in FoundationAgents MetaGPT \u003c= 0.8.1 within the ActionNode.xml_fill function, allowing remote attackers to inject code due to improper neutralization of directives in dynamically evaluated code.","title":"FoundationAgents MetaGPT Code Injection Vulnerability (CVE-2026-5971)","url":"https://feed.craftedsignal.io/briefs/2024-01-29-metagpt-code-injection/"}],"language":"en","title":"CraftedSignal Threat Feed — Metagpt","version":"https://jsonfeed.org/version/1.1"}