{"id":"CVE-2026-5974","summary":"FoundationAgents MetaGPT terminal.py Bash.run os command injection","details":"A vulnerability was determined in FoundationAgents MetaGPT up to 0.8.1. The affected element is the function Bash.run in the library metagpt/tools/libs/terminal.py. This manipulation causes os command injection. The attack is possible to be carried out remotely. The project was informed of the problem early through a pull request but has not reacted yet.","aliases":["GHSA-fcc8-4q7h-wvwc","PYSEC-2026-2639"],"modified":"2026-07-15T01:49:17.674211998Z","published":"2026-04-09T19:30:15.216Z","database_specific":{"cna_assigner":"VulDB","cwe_ids":["CWE-77","CWE-78"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/5xxx/CVE-2026-5974.json"},"references":[{"type":"WEB","url":"https://github.com/FoundationAgents/MetaGPT/"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/5xxx/CVE-2026-5974.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-5974"},{"type":"ADVISORY","url":"https://vuldb.com/submit/791758"},{"type":"ADVISORY","url":"https://vuldb.com/vuln/356528"},{"type":"REPORT","url":"https://github.com/FoundationAgents/MetaGPT/issues/1931"},{"type":"REPORT","url":"https://vuldb.com/vuln/356528/cti"},{"type":"FIX","url":"https://github.com/FoundationAgents/MetaGPT/pull/1940"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/foundationagents/metagpt","events":[{"introduced":"feb2d30364e68cd74193d8f7715c3b90fafd02ec"},{"last_affected":"c036574507e7616c02512e7c8ad88dd847783afa"}],"database_specific":{"source":["AFFECTED_FIELD","CPE_RANGE"],"cpe":"cpe:2.3:a:deepwisdom:metagpt:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"0.8.0"},{"last_affected":"0.8.0"},{"introduced":"0.8.1"},{"last_affected":"0.8.1"},{"introduced":"0"}]}}],"versions":["0.8.0","0.8.1","v0.8.1","v0.8.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-5974.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X"}]}