CVE-2026-6109
published 2026-04-12CVE-2026-6109: A vulnerability was determined in FoundationAgents MetaGPT up to 0.8.1. The impacted element is the function evaluateCode of the file…
PriorityP346high8.8CVSS 3.1
AVNACLPRNUIRSUCHIHAH
EPSS
0.22%
12.9th percentile
A vulnerability was determined in FoundationAgents MetaGPT up to 0.8.1. The impacted element is the function evaluateCode of the file metagpt/environment/minecraft/mineflayer/index.js of the component Mineflayer HTTP API. Executing a manipulation can lead to cross-site request forgery. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| deepwisdom | metagpt | <= 0.8.1 | — |
| foundationagents | metagpt | — | — |
| foundationagents | metagpt | — | — |
| foundationagents | metagpt | 0 – 0.8.2 | — |
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
nvdv4.02.1LOWCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.05.0MEDIUMAV:N/AC:L/Au:N/C:N/I:P/A:N
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
MetaGPT has an eval injection via a cross-site request forgery attack
ghsa·2026-04-12
CVE-2026-6109 [LOW] CWE-352 MetaGPT has an eval injection via a cross-site request forgery attack
MetaGPT has an eval injection via a cross-site request forgery attack
A vulnerability was determined in FoundationAgents MetaGPT up to 0.8.2. The impacted element is the function evaluateCode of the file metagpt/environment/minecraft/mineflayer/index.js of the component Mineflayer HTTP API. Executing a manipulation can lead to cross-site request forgery. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet.
GHSA
GHSA-w287-wwhf-95vv: A vulnerability was determined in FoundationAgents MetaGPT up to 0
ghsa_unreviewed·2026-04-12
CVE-2026-6109 [MEDIUM] CWE-352 GHSA-w287-wwhf-95vv: A vulnerability was determined in FoundationAgents MetaGPT up to 0
A vulnerability was determined in FoundationAgents MetaGPT up to 0.8.1. The impacted element is the function evaluateCode of the file metagpt/environment/minecraft/mineflayer/index.js of the component Mineflayer HTTP API. Executing a manipulation can lead to cross-site request forgery. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet.
VulDB
FoundationAgents MetaGPT up to 0.8.1 Mineflayer HTTP API index.js evaluateCode cross-site request forgery (Issue 1932)
vuldb·2026-04-11·CVSS 5.3
CVE-2026-6109 [MEDIUM] FoundationAgents MetaGPT up to 0.8.1 Mineflayer HTTP API index.js evaluateCode cross-site request forgery (Issue 1932)
A vulnerability labeled as problematic has been found in FoundationAgents MetaGPT up to 0.8.1. The impacted element is the function evaluateCode of the file metagpt/environment/minecraft/mineflayer/index.js of the component Mineflayer HTTP API. Executing a manipulation can lead to cross-site request forgery.
This vulnerability appears as CVE-2026-6109. The attack may be performed from remote. In addition, an exploit is available.
The project was informed of the problem early through an issue report but has not responded yet.
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-04-12
Published