Plattform
python
Komponente
foundationagents
Behoben in
0.8.1
0.8.2
A code injection vulnerability has been identified in FoundationAgents MetaGPT versions 0.8.0 through 0.8.1. This flaw resides within the check_solution function of the HumanEvalBenchmark/MBPPBenchmark component, allowing attackers to inject and execute arbitrary code. The vulnerability is remotely exploitable and a public exploit is now available, posing a significant risk to deployments. The project maintainers have been notified but have not yet released a fix.
Successful exploitation of CVE-2026-5970 allows an attacker to execute arbitrary code on the system running FoundationAgents MetaGPT. This could lead to complete system compromise, including data theft, modification, or destruction. Given the remote nature of the exploit and the availability of a public proof-of-concept, the potential for widespread exploitation is high. The impact is amplified if the MetaGPT instance has access to sensitive data or critical infrastructure, enabling lateral movement and broader network compromise. The lack of a response from the project maintainers further exacerbates the risk.
This vulnerability is actively being exploited, as evidenced by the public availability of a proof-of-concept. It has been added to the CISA KEV catalog, indicating a high probability of exploitation. The vulnerability's ease of exploitation and the lack of a patch make it a high-priority target for attackers.
Organizations and individuals utilizing FoundationAgents MetaGPT versions 0.8.0 through 0.8.1, particularly those deploying it in environments handling sensitive data or critical infrastructure, are at immediate risk. Those relying on MetaGPT for automated code evaluation or testing are especially vulnerable.
• python / server:
import os
import subprocess
# Check for the vulnerable function
with open('/path/to/your/foundationagents/HumanEvalBenchmark/MBPPBenchmark.py', 'r') as f:
if 'check_solution' in f.read():
print('Vulnerable function detected!')• python / supply-chain:
import subprocess
result = subprocess.run(['pip', 'show', 'foundationagents'], capture_output=True, text=True)
if 'Version: 0.8.0' in result.stdout or 'Version: 0.8.1' in result.stdout:
print('FoundationAgents version is vulnerable!')disclosure
poc
Exploit-Status
EPSS
0.07% (21% Perzentil)
CISA SSVC
CVSS-Vektor
Currently, there is no official patch available for CVE-2026-5970. As a temporary mitigation, consider isolating affected instances of FoundationAgents MetaGPT from external networks to prevent remote exploitation. Input validation and sanitization within the checksolution function could potentially reduce the attack surface, although this requires careful implementation to avoid introducing new vulnerabilities. Monitoring system logs for suspicious activity related to the HumanEvalBenchmark/MBPPBenchmark component is also recommended. After a patch is released, upgrade immediately and confirm the fix by attempting to trigger the checksolution function with malicious input.
Die Code Injection Vulnerabilität in der Funktion `check_solution` von MetaGPT kann durch ein Update auf eine korrigierte Version gemildert werden. Da das Projekt nicht reagiert hat, wird empfohlen, den betroffenen Quellcode zu überprüfen und Sicherheits-Patches manuell anzuwenden oder die Verwendung der anfälligen Funktion zu vermeiden, bis ein offizielles Update veröffentlicht wird.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-5970 is a code injection vulnerability affecting FoundationAgents MetaGPT versions 0.8.0–0.8.1. The check_solution function allows remote attackers to inject code, potentially leading to system compromise.
If you are using FoundationAgents MetaGPT versions 0.8.0 or 0.8.1, you are potentially affected by this vulnerability. Immediate action is required.
The recommended fix is to upgrade to a patched version of FoundationAgents MetaGPT. As of now, no patch is available. Implement input validation as a temporary mitigation.
Yes, a public exploit for CVE-2026-5970 is available, indicating active exploitation is likely occurring.
Check the FoundationAgents project repository and website for updates and advisories regarding CVE-2026-5970. As of this writing, no official advisory has been published.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine requirements.txt-Datei hoch und wir sagen dir sofort, ob du betroffen bist.