CVE-2026-5973

HIGH

FoundationAgents MetaGPT common.py get_mime_type os command injection

Title source: cna

Description

A vulnerability was found in FoundationAgents MetaGPT up to 0.8.1. Impacted is the function get_mime_type of the file metagpt/utils/common.py. The manipulation results in os command injection. The attack can be executed remotely. The exploit has been made public and could be used. The project was informed of the problem early through a pull request but has not reacted yet.

References (6)

[Exploit] https://github.com/FoundationAgents/MetaGPT/issues/1930

[Patch] https://github.com/FoundationAgents/MetaGPT/pull/1983

[Product] https://github.com/FoundationAgents/MetaGPT/

[Vdb Entry, Technical Description] https://vuldb.com/vuln/356527

[Signature, Permissions Required] https://vuldb.com/vuln/356527/cti

[Third Party Advisory] https://vuldb.com/submit/791755

Scores

CVSS v3 7.3

EPSS 0.0048

EPSS Percentile 65.0%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-77 CWE-78

Status published

Products (4)

deepwisdom/metagpt < 0.8.1

FoundationAgents/MetaGPT 0.8.0

FoundationAgents/MetaGPT 0.8.1

pypi/metagpt 0PyPI

Published Apr 09, 2026

Tracked Since Apr 10, 2026