CVE-2026-11455
published 2026-06-07CVE-2026-11455: A vulnerability was determined in FoundationAgents MetaGPT up to 0.8.2. Affected by this issue is the function check_cmd_exists of the file…
PriorityP339medium5CVSS 3.1
AVNACHPRLUINSUCLILAL
EPSS
0.94%
56.3th percentile
A vulnerability was determined in FoundationAgents MetaGPT up to 0.8.2. Affected by this issue is the function check_cmd_exists of the file metagpt/utils/common.py. This manipulation of the argument mermaid.path causes command injection. The attack may be initiated remotely. A high degree of complexity is needed for the attack. The exploitation is known to be difficult. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| foundationagents | metagpt | — | — |
| foundationagents | metagpt | — | — |
| foundationagents | metagpt | — | — |
CVSS provenance
nvdv3.15.0MEDIUMCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
nvdv4.01.3LOWCVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.04.6MEDIUMAV:N/AC:H/Au:S/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
A vulnerability was determined in FoundationAgents MetaGPT up to 0.8.2.
ghsa_unreviewed·2026-06-07
CVE-2026-11455 [LOW] CWE-74 A vulnerability was determined in FoundationAgents MetaGPT up to 0.8.2.
A vulnerability was determined in FoundationAgents MetaGPT up to 0.8.2. Affected by this issue is the function check_cmd_exists of the file metagpt/utils/common.py. This manipulation of the argument mermaid.path causes command injection. The attack may be initiated remotely. A high degree of complexity is needed for the attack. The exploitation is known to be difficult. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet.
VulDB
FoundationAgents MetaGPT up to 0.8.2 metagpt/utils/common.py check_cmd_exists mermaid.path command injection (Issue 2037)
vuldb·2026-06-06
CVE-2026-11455 [CRITICAL] FoundationAgents MetaGPT up to 0.8.2 metagpt/utils/common.py check_cmd_exists mermaid.path command injection (Issue 2037)
A vulnerability was found in FoundationAgents MetaGPT up to 0.8.2. It has been classified as critical. Affected by this issue is the function check_cmd_exists of the file metagpt/utils/common.py. This manipulation of the argument mermaid.path causes command injection.
This vulnerability appears as CVE-2026-11455. The attack may be initiated remotely. In addition, an exploit is available.
The project was informed of the problem early through an issue report but has not responded yet.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/FoundationAgents/MetaGPT/https://github.com/FoundationAgents/MetaGPT/issues/2037https://vuldb.com/cve/CVE-2026-11455https://vuldb.com/submit/828206https://vuldb.com/vuln/369074https://vuldb.com/vuln/369074/ctihttps://www.notion.so/asuka39/MetaGPT-Command-Injection-via-Mermaid-path-Configuration-35fe35b8556880b29113c8c1b414a8b2?source=copy_link
2026-06-07
Published