CVE-2026-5971 - Vulnerability Details

- FoundationAgents MetaGPT XML action_node.py ActionNode.xml_fill eval injection

Description

A flaw has been found in FoundationAgents MetaGPT up to 0.8.1. This vulnerability affects the function ActionNode.xml_fill of the file metagpt/actions/action_node.py of the component XML Handler. Executing a manipulation can lead to improper neutralization of directives in dynamically evaluated code. The attack may be launched remotely. The exploit has been published and may be used. The project was informed of the problem early through a pull request but has not reacted yet.

Published: 2026-04-09

Score: 6.9 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A flaw in FoundationAgents MetaGPT disables proper neutralization of directives in dynamically evaluated code within the ActionNode.xml_fill function. This code evaluation vulnerability permits arbitrary code execution when an attacker supplies crafted input. An attacker who can influence the XML payload fed to this function could gain full control of the hosting environment, compromising confidentiality, integrity, and availability of the affected application. The description confirms that the exploit is published and usable, underscoring that the risk is not theoretical.

Affected Systems

The vulnerability affects FoundationAgents MetaGPT versions up to 0.8.1. Users running any of those releases are potentially exposed. No specific patch versions are listed, but the CVE statement indicates that the component is the XML Handler in metagpt/actions/action_node.py.

Risk and Exploitability

The CVSS score of 6.9 shows a moderate to high severity, and no EPSS score is available, so precise exploitation probability is unknown. The vulnerability is not listed in CISA's KEV catalog, but the public availability of an exploit means that a remote attacker can exploit it. Given that the project has not yet responded to reported issues, the likelihood of a widespread attack remains significant, and the impact would be severe if execution succeeds.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

FoundationAgents

MetaGPT

affected

Version	Status	Constraints
`0.8.0`	affected	—
`0.8.1`	affected	—

Configuration 1 [-]

cpe:2.3:a:deepwisdom:metagpt:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Foundation Agents

Metagpt

95%

Version	Status	Scheme	Platform
`0.8.0`	affected	semver	—
`0.8.1`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply a patched version of MetaGPT (0.8.2 or later) if available. If a patch is not yet released, deploy the latest tested version from the official repository.

Generated by OpenCVE AI on April 9, 2026 at 19:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-3ghp-8r47-4gj4	FoundationAgents MetaGPT vulnerable to eval injection

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00061.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/FoundationAgents/MetaGPT/
https://github.com/FoundationAgents/MetaGPT/issues/1928
https://github.com/FoundationAgents/MetaGPT/issues/1956
https://vuldb.com/submit/791734
https://vuldb.com/vuln/356525
https://vuldb.com/vuln/356525/cti

History

Wed, 29 Apr 2026 20:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Deepwisdom Deepwisdom metagpt
CPEs		cpe:2.3:a:deepwisdom:metagpt::::::::
Vendors & Products		Deepwisdom Deepwisdom metagpt

Mon, 13 Apr 2026 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 10 Apr 2026 09:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Foundation Agents Foundation Agents metagpt
Vendors & Products		Foundation Agents Foundation Agents metagpt

Thu, 09 Apr 2026 18:15:00 +0000

Type	Values Removed	Values Added
Description		A flaw has been found in FoundationAgents MetaGPT up to 0.8.1. This vulnerability affects the function ActionNode.xml_fill of the file metagpt/actions/action_node.py of the component XML Handler. Executing a manipulation can lead to improper neutralization of directives in dynamically evaluated code. The attack may be launched remotely. The exploit has been published and may be used. The project was informed of the problem early through a pull request but has not reacted yet.
Title		FoundationAgents MetaGPT XML action_node.py ActionNode.xml_fill eval injection
Weaknesses		CWE-94 CWE-95
References		https://github.com/FoundationAgents/MetaGPT/ https://github.com/FoundationAgents/MetaGPT/issues/1928 https://github.com/FoundationAgents/MetaGPT/issues/1956 https://vuldb.com/submit/791734 https://vuldb.com/vuln/356525 https://vuldb.com/vuln/356525/cti
Metrics		cvssV2_0 `{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Deepwisdom Metagpt

Foundation Agents Metagpt

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-04-09T18:00:19.828Z

Updated: 2026-04-13T20:14:17.735Z

Reserved: 2026-04-09T12:04:20.721Z

Link: CVE-2026-5971

Vulnrichment

Updated: 2026-04-13T20:14:13.475Z

NVD

Status : Analyzed

Published: 2026-04-09T18:17:04.723

Modified: 2026-04-29T19:45:53.750

Link: CVE-2026-5971

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-10T09:31:46Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object