PYSEC-2026-2644

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/metagpt/PYSEC-2026-2644.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-2644
Aliases
Published
2026-07-13T14:36:50.669901Z
Modified
2026-07-13T16:31:50.023187071Z
Severity
  • 7.3 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L CVSS Calculator
  • 5.5 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P CVSS Calculator
Summary
FoundationAgents MetaGPT vulnerable to os command injection via the Terminal.run_command
Details

A vulnerability has been found in FoundationAgents MetaGPT up to 0.8.1. This issue affects the function Terminal.run_command in the library metagpt/tools/libs/terminal.py. The manipulation leads to os command injection. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. The identifier of the patch is d04ffc8dc67903e8b327f78ec121df5e190ffc7b. Applying a patch is the recommended action to fix this issue.

References

Affected packages

PyPI / metagpt

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0.8.2

Affected versions

0.*
0.1
0.3.0
0.4.0
0.5.0
0.5.1
0.5.2
0.6.0
0.6.1
0.6.2
0.6.3
0.6.4
0.6.5
0.6.6
0.6.7
0.6.8
0.6.9
0.6.10
0.6.11
0.6.12
0.6.13
0.7.0
0.7.1
0.7.2
0.7.3
0.7.4
0.7.6
0.7.7
0.8.0
0.8.1

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/metagpt/PYSEC-2026-2644.yaml"