CVE-2026-5972

Source
https://cve.org/CVERecord?id=CVE-2026-5972
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-5972.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-5972
Aliases
Published
2026-04-09T19:00:20.513Z
Modified
2026-07-15T01:49:06.827493476Z
Severity
  • 5.5 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P CVSS Calculator
Summary
FoundationAgents MetaGPT terminal.py Terminal.run_command os command injection
Details

A vulnerability has been found in FoundationAgents MetaGPT up to 0.8.1. This issue affects the function Terminal.run_command in the library metagpt/tools/libs/terminal.py. The manipulation leads to os command injection. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. The identifier of the patch is d04ffc8dc67903e8b327f78ec121df5e190ffc7b. Applying a patch is the recommended action to fix this issue.

Database specific
{
    "cwe_ids": [
        "CWE-77",
        "CWE-78"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/5xxx/CVE-2026-5972.json",
    "cna_assigner": "VulDB"
}
References

Affected packages

Git / github.com/foundationagents/metagpt

Affected ranges

Type
GIT
Repo
https://github.com/foundationagents/metagpt
Events
Database specific
{
    "cpe": "cpe:2.3:a:deepwisdom:metagpt:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0.8.0"
        },
        {
            "last_affected": "0.8.0"
        },
        {
            "introduced": "0.8.1"
        },
        {
            "last_affected": "0.8.1"
        },
        {
            "introduced": "0"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE"
    ]
}
Type
GIT
Repo
https://github.com/paipeline/metagpt
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": "REFERENCES"
}

Affected versions

0.*
0.8.0
0.8.1
v0.*
v0.1.0
v0.2.0
v0.2.1
v0.3.0
v0.8.0
v0.8.1
v0.8.2

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-5972.json"