CVE-2026-5970: MetaGPT has an Injection issue

April 9, 2026 (updated May 6, 2026)

A vulnerability was detected in FoundationAgents MetaGPT up to 0.8.1. This affects the function check_solution of the component HumanEvalBenchmark/MBPPBenchmark. Performing a manipulation results in code injection. The attack may be initiated remotely. The exploit is now public and may be used. The project was informed of the problem early through a pull request but has not reacted yet.

References

github.com/FoundationAgents/MetaGPT
github.com/FoundationAgents/MetaGPT/issues/1942
github.com/FoundationAgents/MetaGPT/pull/1988
github.com/advisories/GHSA-g977-h85w-h2xj
nvd.nist.gov/vuln/detail/CVE-2026-5970
vuldb.com/submit/791693
vuldb.com/vuln/356524
vuldb.com/vuln/356524/cti

Code Behaviors & Features

Detect and mitigate CVE-2026-5970 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →