CVE-2026-6109

MEDIUM4.3EPSS 0.01%

MetaGPT has an eval injection via a cross-site request forgery attack

Published: 4/12/2026Modified: 4/14/2026

Description

A vulnerability was determined in FoundationAgents MetaGPT up to 0.8.2. The impacted element is the function evaluateCode of the file metagpt/environment/minecraft/mineflayer/index.js of the component Mineflayer HTTP API. Executing a manipulation can lead to cross-site request forgery. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet.

Affected packages (1)

PyPI/metagptfrom 0, <= 0.8.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N

References (6)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2026-6109
PATCHhttps://github.com/FoundationAgents/MetaGPT
WEBhttps://github.com/FoundationAgents/MetaGPT/issues/1932
WEBhttps://vuldb.com/submit/791759
WEBhttps://vuldb.com/vuln/356969
WEBhttps://vuldb.com/vuln/356969/cti