PYSEC-2026-2645

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/metagpt/PYSEC-2026-2645.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-2645
Aliases
Published
2026-07-13T15:02:47.332553Z
Modified
2026-07-13T16:31:50.890129222Z
Severity
  • 7.3 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L CVSS Calculator
  • 5.5 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P CVSS Calculator
Summary
MetaGPT has an eval injection in metagpt/strategy/tot.py
Details

A vulnerability was identified in FoundationAgents MetaGPT up to 0.8.2. This affects the function generate_thoughts of the file metagpt/strategy/tot.py of the component Tree-of-Thought Solver. The manipulation leads to code injection. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet.

References

Affected packages

PyPI / metagpt

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
0.8.2

Affected versions

0.*
0.1
0.3.0
0.4.0
0.5.0
0.5.1
0.5.2
0.6.0
0.6.1
0.6.2
0.6.3
0.6.4
0.6.5
0.6.6
0.6.7
0.6.8
0.6.9
0.6.10
0.6.11
0.6.12
0.6.13
0.7.0
0.7.1
0.7.2
0.7.3
0.7.4
0.7.6
0.7.7
0.8.0
0.8.1
0.8.2

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/metagpt/PYSEC-2026-2645.yaml"