CVE-2026-33054

Mesop is a Python-based UI framework that allows users to build web applications. Versions 1.2.2 and below contain a Path Traversal vulnerability that allows any user supplying an untrusted state_token through the UI stream payload to arbitrarily target files on the disk under the standard file-based runtime backend. This can result in application denial of service (via crash loops when reading non-msgpack target files as configurations), or arbitrary file manipulation. This vulnerability heavily exposes systems hosted utilizing FileStateSessionBackend. Unauthorized malicious actors could interact with arbitrary payloads overwriting or explicitly removing underlying service resources natively outside the application bounds. This issue has been fixed in version 1.2.3.

CVSS v3 10.0 CRITICAL

10.0^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 6.0

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope CHANGED

References

Link	Resource
https://github.com/mesop-dev/mesop/commit/c6b382f363b73ac32c402a2db3aadc7784f66a5b	Patch
https://github.com/mesop-dev/mesop/releases/tag/v1.2.3	Release Notes
https://github.com/mesop-dev/mesop/security/advisories/GHSA-8qvf-mr4w-9x2c	Exploit Vendor Advisory
https://github.com/mesop-dev/mesop/security/advisories/GHSA-8qvf-mr4w-9x2c	Exploit Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:mesop-dev:mesop:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-03-20 07:16

Updated : 2026-03-24 16:29

NVD link : CVE-2026-33054

Mitre link : CVE-2026-33054

CVE.ORG link : CVE-2026-33054

JSON object : View

Products Affected

mesop-dev

mesop

CWE

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

{"id": "CVE-2026-33054", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 10.0, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 6.0, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}]}, "published": "2026-03-20T07:16:13.363", "references": [{"url": "https://github.com/mesop-dev/mesop/commit/c6b382f363b73ac32c402a2db3aadc7784f66a5b", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/mesop-dev/mesop/releases/tag/v1.2.3", "tags": ["Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/mesop-dev/mesop/security/advisories/GHSA-8qvf-mr4w-9x2c", "tags": ["Exploit", "Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/mesop-dev/mesop/security/advisories/GHSA-8qvf-mr4w-9x2c", "tags": ["Exploit", "Vendor Advisory"], "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-22"}]}], "descriptions": [{"lang": "en", "value": "Mesop is a Python-based UI framework that allows users to build web applications. Versions 1.2.2 and below contain a Path Traversal vulnerability that allows any user supplying an untrusted state_token through the UI stream payload to arbitrarily target files on the disk under the standard file-based runtime backend. This can result in application denial of service (via crash loops when reading non-msgpack target files as configurations), or arbitrary file manipulation. This vulnerability heavily exposes systems hosted utilizing FileStateSessionBackend. Unauthorized malicious actors could interact with arbitrary payloads overwriting or explicitly removing underlying service resources natively outside the application bounds. This issue has been fixed in version 1.2.3."}, {"lang": "es", "value": "Mesop es un framework de interfaz de usuario basado en Python que permite a los usuarios construir aplicaciones web. Las versiones 1.2.2 e inferiores contienen una vulnerabilidad de salto de ruta que permite a cualquier usuario que suministre un state_token no confiable a trav\u00e9s de la carga \u00fatil del flujo de la interfaz de usuario dirigirse arbitrariamente a archivos en el disco bajo el backend de tiempo de ejecuci\u00f3n est\u00e1ndar basado en archivos. Esto puede resultar en denegaci\u00f3n de servicio de la aplicaci\u00f3n (a trav\u00e9s de bucles de bloqueo al leer archivos de destino que no son msgpack como configuraciones), o manipulaci\u00f3n arbitraria de archivos. Esta vulnerabilidad expone gravemente los sistemas alojados que utilizan FileStateSessionBackend. Actores maliciosos no autorizados podr\u00edan interactuar con cargas \u00fatiles arbitrarias sobrescribiendo o eliminando expl\u00edcitamente recursos de servicio subyacentes de forma nativa fuera de los l\u00edmites de la aplicaci\u00f3n. Este problema ha sido solucionado en la versi\u00f3n 1.2.3."}], "lastModified": "2026-03-24T16:29:12.830", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:mesop-dev:mesop:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "D66D038F-24FF-444E-B60F-6EAC62CDBB08", "versionEndExcluding": "1.2.3"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}