PYSEC-2026-2643

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/metagpt/PYSEC-2026-2643.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-2643
Aliases
Published
2026-07-13T15:02:47.274869Z
Modified
2026-07-13T16:31:49.979667082Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N CVSS Calculator
  • 2.1 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P CVSS Calculator
Summary
MetaGPT has an eval injection via a cross-site request forgery attack
Details

A vulnerability was determined in FoundationAgents MetaGPT up to 0.8.2. The impacted element is the function evaluateCode of the file metagpt/environment/minecraft/mineflayer/index.js of the component Mineflayer HTTP API. Executing a manipulation can lead to cross-site request forgery. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet.

References

Affected packages

PyPI / metagpt

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
0.8.2

Affected versions

0.*
0.1
0.3.0
0.4.0
0.5.0
0.5.1
0.5.2
0.6.0
0.6.1
0.6.2
0.6.3
0.6.4
0.6.5
0.6.6
0.6.7
0.6.8
0.6.9
0.6.10
0.6.11
0.6.12
0.6.13
0.7.0
0.7.1
0.7.2
0.7.3
0.7.4
0.7.6
0.7.7
0.8.0
0.8.1
0.8.2

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/metagpt/PYSEC-2026-2643.yaml"