CVE-2026-5973: FoundationAgents MetaGPT vulnerable to OS Command Injection in metagpt/utils/common.py

April 9, 2026 (updated April 10, 2026)

A vulnerability was found in FoundationAgents MetaGPT up to 0.8.1. Impacted is the function get_mime_type of the file metagpt/utils/common.py. The manipulation results in os command injection. The attack can be executed remotely. The exploit has been made public and could be used. The project was informed of the problem early through a pull request but has not reacted yet.

References

github.com/FoundationAgents/MetaGPT
github.com/FoundationAgents/MetaGPT/issues/1930
github.com/FoundationAgents/MetaGPT/pull/1983
github.com/advisories/GHSA-qw5f-qpq5-ppfg
nvd.nist.gov/vuln/detail/CVE-2026-5973
vuldb.com/submit/791755
vuldb.com/vuln/356527
vuldb.com/vuln/356527/cti

Code Behaviors & Features

Detect and mitigate CVE-2026-5973 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →